חבור לשם קבלת התואר Thesis for the degree דוקטור לפילוסופיה Doctor of Philosophy מאת By יפתח הייטנר Iftach Haitner New Implications and Improved Efficiency of Constructions Based on One-way Functions יישומים חדשים ובניות יעילות מבוססות פונקציות חד כיווניות מנחה Advisor פרופ' עמר ריינגולד Prof. Omer Reingold אדר א' תשס"ח March 2008 מוגש למועצה המדעית של Submitted to the Scientific Council of the מכון ויצמן למדע Weizmann Institute of Science רחובות, ישראל Rehovot, Israel To my father, Moti Haitner, who knew little about Science, but much about what it takes to be a Human Being. Summary Since most interesting cryptographic tasks are impossible to achieve with absolute, information- theoretic security, modern cryptography aims to design cryptographic primitives (i.e., algo- rithms/protocols) that are computationally infeasible to break (i.e., secure against computationally bounded adversaries). Proving lower bounds of the type needed, however, seems beyond the reach of current techniques in complexity theory. 1 Thus, research in the Foundations of Cryptography has aimed to design primitives based on complexity assumptions that are as weak as possible. It is well known that the assumption that one-way functions exist, is necessary for most cryptographic primitives. It is then natural to pose the opposite question. Namely, does the existence of one-way functions imply the existence of all cryptographic primitives? Here we consider some of the most fundamental primitives in cryptography and prove the following results about the power of one-way functions in implementing these primitives. Statistically hiding commitments. Statistically hiding commitments (ones where the hiding property holds against even computationally unbounded adversaries) are among the few fun- damental primitives for which we have failed to ¯nd exact characterization. That is, until recently it was only known how to build these primitives from seemingly stronger assumptions than the existence of one-way functions, yet there was no black-box separation between these primitives and one-way functions. We resolve the complexity of statistically hiding commitments, giving a construction of statis- tically hiding commitment schemes under the minimal complexity assumption that one-way functions exist. By this we give a positive answer to an open question posed by Naor, Ostro- vsky, Venkatesan, and Yung (CRYPTO `92, J. Cryptology `98). Pseudorandom generators. We present a construction of pseudorandom generators based on regular one-way functions that is signi¯cantly better (in terms of security and e±ciency) than the previous construction of Goldreich, Krawczyk and Luby (FOCS '88, SIAM J. on Computing '99) (i.e., the input length of our generator is £(n log n) compared to £(n3) in Goldreich et al., where n is the input length of the underlying one-way function). In addi- tion, we present a construction of pseudorandom generators from any one-way function that improves the construction of Hºastad,Impagliazzo, Levin and Luby (STOC '89, STOC '90, SIAM J. on Computing '99). Finally, we show a rather e±cient construction of pseudorandom generator (input length £(n2)) based on one-way functions with exponential hardness. Our construction signi¯cantly improves the previous construction due to Holenstein (TCC '06) (input length £(n5)). 1Indeed, it would require at least proving that P 6= NP. i Summary Summary Interactive hashing. We give an alternative proof for interactive hashing protocol of Naor, Os- trovsky, Venkatesan and Yung (CRYPTO `92, J. Cryptology `98), which seems to us signif- icantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security preserving the reduction is). Finally, our proof implies a more versatile interactive hashing theorem in a more general setting than that of Naor et al. Hardness ampli¯cations. We present a reduction for security ampli¯cation of regular one-way functions, which incur only £(n log(n)) blow-up in the input length. This improves upon the reduction of Goldreich, Impagliazzo, Levin, Venkatesan and Zuckerman (FOCS '90) in that the reduction does not need to know the regularity parameter of the functions (in terms of security, the two reductions are incomparable). ii Acknowledgements It is a great pleasure to thank the many people who helped me during my thesis. First and foremost, I wish to thank my advisor Omer Reingold. I am grateful to Omer for his patience and for sharing with me so much of his knowledge and wisdom. During the long conversations we had together, I learned a lot about science, but even more importantly, about how to enjoy science. With Omer's companionship, no task seemed too frightening. While never hesitating to provide sincere and determined opinions, Omer always did it in the most gentle way, teaching me a lot about the right way to deliver your point of view. Finally, I am grateful to Omer for his personal advice and friendship, I will always be in debt for it. My interest in Cryptography originated during my Masters studies with Oded Goldreich. Cryp- tography never seems more exciting than while being taught by Oded. Oded guided my ¯rst steps as a scientist, and helped me discover the beauty of research. Finally, numerous times through my PhD. studies I came to Oded seeking advice (both on scienti¯c and \non-scienti¯c" issues), and always bene¯ted from his smart and unconventional opinions. Oded Goldreich and Moni Naor served as my very helpful and joyful interim and ¯nal exami- nation committee, and I would like to thank them for that. Ronen Shaltiel was my ¯rst coauthor and was the ¯rst to see me as a colleague. Since then, Ronen enriched my education with many of his very intelligent and insightful observations. Throughout my studies, I have had the fortune of interacting with Yuval Ishai. His deep solid insights, everlasting patience and a®ection to Cryptography opened up a new world. During my last year at Weizmann Institute, I have had the fortune of interacting with Sha¯ Goldwasser. I am very grateful for her patience, and for the long hours she spent helping me to transform my thoughts into more digestible material. Other researchers that have deeply influenced my research include Cynthia Dwork, Yuval Emek, Danny Harnik, Jonathan Hoch, Thomas Holenstein, Yehuda Lindel, Jonathan Katz, Tal Moran, Moni Naor, Alon Rosen, Gil Segev and Salil Vadhan. I am very grateful for my discussions with them. In particular, I would like thank Danny Harnik for the collaboration that yielded the results presented in Chapters 5 and 6. I had be¯tted a lot from the Students Theory Seminar organized by Dana Moshkovitz and from the Crypto Reading Group organized by Sha¯ Goldwasser, and would like to thank them for their e®orts. I had many happy times during these years at Weizmann Institute. Dan Levi, Shai Litvak and Lior Noy took part in many of them. The \non-scienti¯c" activities in Weizmann Institute had also contributed a lot to my well being, this list includes the chess club, the swimming group, the iii Acknowledgements Acknowledgements Ultimate Frisbee group, and most importantly the Playback Theater group. I in great debt to the people who made these activities possible. Finally, I would like to thank my wife Liat, for her love and support through these long years. This thesis would never have happened without her. iv Contents 1 Introduction 1 1.1 Overview .......................................... 1 1.2 Statistically Hiding Commitment ............................. 2 1.2.1 Our Results ..................................... 3 1.3 Interactive Hashing ..................................... 3 1.3.1 Our Results ..................................... 3 1.4 Pseudorandom Generators ................................. 4 1.4.1 Our Results ..................................... 5 1.5 Hardness Ampli¯cation .................................. 5 1.5.1 Our Results ..................................... 6 1.6 Outline ........................................... 7 2 Preliminaries 8 2.1 General Notations ..................................... 8 2.1.1 Interactive Protocols ................................ 8 2.1.2 Distributions and Entropy ............................. 9 2.2 Pairwise Independent Hash Functions .......................... 9 2.2.1 Almost Pairwise Independent Hash Functions .................. 10 2.3 Randomness Extractors .................................. 11 2.3.1 One-way Functions ................................. 11 2.3.2 The Security of Cryptographic Constructions .................. 13 3 Statistically Hiding Commitments From Any One-Way Function 15 3.1 Introduction ......................................... 15 3.1.1 Our Results ..................................... 16 3.1.2 Our Techniques ................................... 16 3.1.3 Outline ....................................... 18 3.2 Preliminaries ........................................ 18 3.2.1 Universal One-way Hash Family ......................... 18 3.2.2 Commitment Schemes ............................... 20 3.2.3 Two-phase Commitment Schemes ......................... 22 3.3 The Construction ...................................... 24 3.3.1 Analyzing the Transformation ........................... 25 3.4 Putting it Together ..................................... 33 3.5 Conclusions ......................................... 35 v CONTENTS CONTENTS 4 A New Interactive Hashing Theorem 36 4.1 Introduction ......................................... 36 4.1.1 Interactive Hashing in the Setting of One-Way