Electronic Colloquium on Computational Complexity, Revision 2 of Report No. 99 (2017) Multi-collision Resistance: A Paradigm for Keyless Hash Functions Nir Bitansky∗ Yael Tauman Kalai† Omer Paneth‡ August 6, 2018 Abstract We introduce a new notion of multi-collision resistance for keyless hash functions. This is a natural relaxation of collision resistance where it is hard to find multiple inputs with the same hash in the following sense. The number of colliding inputs that a polynomial-time non-uniform adversary can find is not much larger than its advice. We discuss potential candidates for this notion and study its applications. Assuming the existence of such hash functions, we resolve the long-standing question of the round complexity of zero knowledge protocols — we construct a 3-message zero knowledge argument against arbitrary polynomial-size non-uniform adversaries. We also improve the round complexity in several other central applications, including a 3-message succinct argument of knowledge for NP, a 4-message zero-knowledge proof, and a 5-message public-coin zero-knowledge argument. Our techniques can also be applied in the keyed setting, where we match the round complexity of known protocols while relaxing the underlying assumption from collision-resistance to keyed multi-collision resistance. The core technical contribution behind our results is a domain extension transformation from multi- collision-resistant hash functions for a fixed input length to ones with an arbitrary input length and a local opening property. The transformation is based on a combination of classical domain extension techniques, together with new information-theoretic tools. In particular, we define and construct a new variant of list-recoverable codes, which may be of independent interest. ∗Tel Aviv University, email [email protected]. Member of the Check Point Institute of Information Security. Supported by the Alon Young Faculty Fellowship and by Len Blavatnik and the Blavatnik Family foundation. Part of this research was done while at MIT. Supported by NSF Grants CNS-1350619 and CNS-1414119 and DARPA and ARO under Contract No. W911NF- 15-C-0236. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the DARPA and ARO. †Microsoft Research, email [email protected]. ‡MIT, email [email protected] Supported by NSF Grants CNS-1350619 and CNS-1414119, and the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236. ISSN 1433-8092 Contents 1 Introduction 1 1.1 Results...................................................2 1.1.1 Round Reduction.........................................2 1.1.2 More Applications........................................3 1.1.3 The Core Technical Result....................................4 1.2 Candidates for Multi-collision-Resistance................................4 1.3 More on Multi-collision Resistance....................................5 1.4 Technical Overview............................................7 1.5 Concurrent and Independent Work.................................... 12 2 Preliminaries 12 2.1 Zero-Knowledge Protocols........................................ 13 3 Multi-collision-resistant Hash Functions 13 4 Multi-collision-resistant Hash with Local Opening 14 4.1 Ingredient I: Hash Trees......................................... 16 4.2 Ingredient II: Collision-Free Code.................................... 20 4.2.1 Construction........................................... 21 4.3 Construction................................................ 23 4.4 Proof of Theorem 4.6........................................... 25 4.4.1 The Extractor........................................... 26 4.4.2 Analysis.............................................. 27 5 3-Message Succinct Arguments for NP 30 5.1 Succinct Arguments for Non-Deterministic Computations........................ 30 5.2 Probabilistically-Checkable Proofs.................................... 31 5.3 Construction................................................ 32 6 3-Message Zero Knowledge via Weak Memory Delegation 34 6.1 Weak Memory Delegation........................................ 35 6.2 Oracle Memory Delegation........................................ 37 6.3 Construction................................................ 38 7 1-Message Statistically-Hiding Commitments with Weak Binding 42 7.1 Definition................................................. 43 7.2 Construction................................................ 43 8 4-Message Zero-Knowledge Proofs 44 8.1 Construction................................................ 45 8.2 Analysis.................................................. 45 A Multi-collision Resistance in the Auxiliary-Input Random Oracle Model 54 B Construction of 3-Round Zero-Knowledge Argument 55 B.1 Witness Indistinguishability with First-Message-Dependent Instances................. 55 B.2 1-Hop Homomorphic Encryption..................................... 57 B.3 A 3-Round Zero-Knowledge Argument................................. 57 C Achieving Local Opening Generically in Fully-Binding Commitments 58 C.1 Overview................................................. 58 C.2 Interactive Commitments......................................... 60 C.3 Transformation.............................................. 61 C.4 Analysis.................................................. 63 1 Introduction Collision-resistant hash functions are central to cryptography. They are used everywhere to compress communication and storage, from simple applications such as hash-and-sign to advanced applications like reliable delegation of data and computation [Mer89, Dam89, DPP93, BEG+94]. They also have strong implications to foundational concepts in the theory of cryptography and complexity, including succinctness of proofs, non-black-box techniques, and hardness of total search problems [Kil94, Bar01, MP91, KNY17b]. In this work, we study a natural relaxation of collision resistance called multi-collision resistance. Roughly speaking, a shrinking hash function is multi-collision-resistant if finding many (rather than two) inputs that hash to the same output is intractable. We formalize this notion, explore its applications, and develop techniques for robust composition of multi-collision-resistant hash functions. Keyless Hash Functions. Our main motivation for studying multi-collision resistance comes from the setting of keyless hash functions. It is well-known that (full) collision resistance cannot be satisfied by any single (fixed) function. Indeed, for any shrinking function, there exist algorithms that can efficiently find collisions, by simply having such collisions hardwired in their code. Accordingly, in the theoretical treatment of collision-resistance, we consider keyed families of hash functions, requiring that efficient algorithms cannot find collisions when the key is chosen at random. Due to this modeling, applications often require additional trust assumptions or rounds of communication (to set up the key). Furthermore, this model does not align with practice, where fixed cryptographic hash functions such as SHA-2 are widely used. In light of the above, a common approach to analyzing keyless hash functions is to consider restricted adversarial models, for example, the class of uniform adversaries whose description is smaller than the size of the hash function’s inputs. In practice, however, for any reasonable choice of hash function, the adversary’s description may very well be larger than the input size. Other common paradigms for dealing with keyless hash functions include the random oracle methodology [BR93] and the human ignorance approach of Rogaway [Rog06]. (See further details in the related work section.) We suggest a new paradigm for the treatment of keyless hash functions based on multi-collision resistance. The paradigm aims to guarantee security in the standard model against adversaries with arbitrary (polynomial-size) non- uniform description, based on a well-defined simple hardness assumption on hash functions. We observe that while keyless hash functions cannot be collision resistant, they may satisfy multi-collision-resistance if we only require that the number of collisions that the adversary can find is not much larger the adversary’s description (including the size of its non-uniform advice). More formally, consider any fixed hash function H : f0; 1g2λ ! f0; 1gλ ; λ2N where λ is a security parameter, and note that multi-collisions of size 2λ always exist. We will say that H is K-collision resistant, for a polynomial K(·), if for any two polynomials ζ(·) and T (·), no adversary with non-uniform advice of size ζ(λ) and running-time T (λ) can find K(ζ) distinct inputs: X1;:::;XK such that H(X1) = ::: = H(XK ) : Crucially, the same collision bound K(ζ) holds regardless of the (polynomial) running time T , and depends only on the size ζ of the non-uniform advice. The larger K is the weaker the notion is, and our results throughout can be based on any polynomial K. (For concreteness, the reader may think of K as a specific polynomial, say quadratic.) The Keyed Setting: Relaxing Collision Resistance. Another motivation for studying multi-collision resistance comes from the setting of keyed hash functions, which is fundamentally different from the keyless setting. In the keyed setting, multi-collision resistance is a natural relaxation of standard collision resistance, and may potentially be based