 היי, everyone, my name is Eran Yoghev. This is joint work with Eran Komorgotsky somewhere here in the audience here. And this will be about distributional collision-resistant hash. So let's start with a quote. Eran Yoghev asks less of a hash function and it is less likely to disappoint you. So what security definition do we want for more hash functions? So this depends on the application. We have many different applications and sometimes you can settle for less secure, for weaker definitions of security and that's, of course, better. So we have all sorts of security definitions. Maybe the most standard one is CRH, a collision-resistant hash. We also have a more weaker security definition, universal one-way hash function and also recently introduced the notion of multi-collision-resistant hash and I'll talk about the differences about these definitions. So what is a collision-resistant hash? So I have a family of functions and each member of this family is efficient and it's easy to sample a function from this family and every function in this family is compressing so for this talk I just assume it compresses two n bits to n bits and then we have the security definition and this is modeled by a game and in this game we have a challenger and an adversary. The challenger picks a random function H from the family, sends it to the adversary and the adversary, the goal of the adversary is to find x1 and x2 that, of course, are different but collide under H and we say that the CRH is secure if no polynomial time adversary can find such a collision with a good probability. Okay, what is a universal one-way hash function introduced by Noran Young? Here it's the same setting of a family of hash functions that are efficient and compressed. The security game is a bit different. Here the challenger picks H and he also picks a random element x1 and now the goal of the adversary is to find x2 that is, of course, different than x1 that collide under H. So this is a much harder task for the adversary. He cannot control x1, he gets x1 and he only can control x2 and because the task is harder so this is actually a weaker primitive, this is a weaker security notion. In a recent work with Komogotsky and Nor we introduced a notion of multi-collision resistant hash and here again it's the same setting except that now the task of the adversary is to find a k-collision, a k-way collision. So this is a tuple x1 to xk that are all distinct but hash to the same value. Okay, so these are not k pairs that collide. These are k distinct elements that have the same value under the hash function. So these are three definitions of hash functions. I sum them up in this slide. One-way function is the weakest form of the three and it was shown to be sufficient for things like the hash and sign paradigm and we know how to construct them for many one-way functions. CRH, collision resistant hash, we have many different assumptions that we know how to build CRH from LWE, discrete log, factoring and more and recently the notion of MCRH has been shown that we can construct it and there are even weaker assumptions than CRH for example some notion of entropy approximation and also in recent works it's shown that this notion even though that it's much weaker than CRH it's still useful for many applications. Okay. So you have these three definitions and you can use each for the appropriate construction and now I want to, if this wasn't confusing enough I want to talk about another definition. So this is distributional collision resistant hash. This was introduced by Dubrov and Ishak and here the setting is the same only the security game is different the challenger is sending a random H in the family and now the task of the adversary is not to find any arbitrary collision but actually he has to find a random collision. Okay. So it has to be much stronger the task is much harder for the adversary. What is a random collision? So think of the following process I just sample a random element X1 in my domain and now I'm going to sample X2 that conditioned on X2 being a collision with X1 so it's going to be uniform in the preimage of H of X1. Okay. And this I'm going to call this this is a random collision and then I'm going to output X1 and X2. So this is a random variable collision H and now my security requirement is that the statistical distance the collision that the adversary outputs and this random variable is very small to some negligible function epsilon. Okay. So you can forget about the precise definition but just going back to this you remember that the task of the adversary is to find a random collision not an arbitrary collision. So a few fun facts about distributional collision distance hash DCRH. So as I said this is used by Dubov and Eshai they introduced it in the context of efficient sampling they had this win-win result that either DCRH exists or something regarding to the complexity efficient sampling holds I'm not going to describe it now but it's very interesting. I want to know that this distributional collision distance hash functions are very weak primitive. So if you give the adversary this function H he might be able to find all the collisions under H and still this doesn't break the security of our object. Okay. As long as he can find the collision in some skew distribution not the uniform one. So the security only says that he cannot find a random collision according to the uniform distribution I defined. A distributional one-way function if you heard of them where in a one-way function the task is to invert the function and find some preimage a distributional one-way function the task is to find a random preimage and in Paliatso and Lubey actually showed that for one-way functions they are equivalent existential equivalent but this seems unlikely in the case of CRH. And last fun fact DCRH are actually black box separated from one-way permutations even if you put along obfuscation. So actually all black box results that separate CRH from one-way permutation if you just look at the proof they actually separate one-way permutation from distributional collision additional hash. So really just the proof as is works for DCRH but not only CRH. Okay, what are our results? We give two constructions of distributional CRH one is black box, one is not one is efficient, one is really not and one is explicit and one is not What we're going to show today I hope is the one that is not So this is really a more theoretical result it has nothing, it's really not practical in any means just to see how to compare these objects with others So the first result is a construction of DCRH from this notion I told you about called multi-equalision resistant hash So we give a non-black box construction of a DCRH from any K MCRH for any constant K, K is the parameter of the size of the top well you need to find So a 2 MCRH is just CRH, but you can set K to be 3 or 4 or 5 or any constant So the proof is not constructive as we'll see in a minute and it uses the adversary in a non-black box way It doesn't really yield a full DCRH, it's only infinitely often for infinite many ends but let's forget about this for now and this partially resolved an open question by Berman et al The second result we give this is a real construction explicit black box where the assumption is the average case hardness of SCK statistical zero knowledge Just two fun facts on this So previously the hardness of statistical zero knowledge we didn't know how to build any form of hashing except that it implies one way functions which is equivalent to the notion of universal one way hash functions and another corollary that we get is that since we already know that obfuscation and one way permutations cannot imply in a black box manner CRH, collision resistant hash and as I said this applies also for distributional collision resistant hash we get that IO plus one way permutation doesn't imply the hardness of statistical zero knowledge because otherwise we would get IO plus one way permutation we would get statistical zero knowledge and from that we can build a DCRH which contradicts this thing So this was already known in a paper by Bitansky et al but it's very nice that we get it as a corollary of our construction Okay So let's try to put a result on a map so we have collision resistant hash up here and one way functions down here and multi collision resistant hash is the weaker notion and these two things are black box separated and in the paper on MCRH we also saw the black box separation of MCRH from standard CRH and MCRH are also black box separated for one way functions and imply one way functions so we can remove this as I said we can build MCRH called entropy approximation which implies stronger assumption than SDK that implies one way function and now we can put distributional TRH back on the picture and this is of course a weaker notion than CRH and we show that it implies one way functions and as I said it's black box separated from one way functions and so also this black box separation applies here but first construction is actually a non-black box construction of MCRH from DCRH even though they are separated in a black box model and the second construction is we will DCRH from SDK okay so let's jump to OOF so I'll show you the proof assuming I have a three MCRH so I have a hash function where adversaries cannot find a three tupper that collide and I want to build a DCRH meaning a hash function where it's hard to find a random tupper that collide so let's just assume H is my MCRH family okay and it compresses two n bits to n bits and let's assume that DCRH do not okay DCRH do not exist meaning I have an adversary A that can find a random collision under H and just a easy fact the size of pre-image of a random for a random X the size of pre-image should be very large because hash compresses enough so of course I can run A on this hash function H and get a random collision X1, X2 and I can run it again and get another collision X3, X4 okay but this won't be a three tupper okay because X3 and X4 are going to collide to a different value X1, X2 okay because this is a random collision somehow I need to make the adversary sample X1, X2 that's great and then make him sample another collision conditioned on colliding with the first one okay but this is of course in general impossible to run an algorithm conditioned on some probability so let's see what we do we're going to define a new hash family H prime this hash family is going to depend on our MCRHH and also on the adversary A okay so H H prime is going to get as an input X and it's going to interpret X as random coins to run the adversary A okay so I'm going to give the definition just some small notation here A1 is exactly the adversary A that outputs a tupper I'm looking only at the left part at X1 okay so this is exactly A just I'm taking only the left part and now the definition is a follow so what is this new hash function H prime so now I'm going to write this as an R this is the input it takes this input uses it to run the adversary A with the original hash function H two elements X1 X2 I'm taking only the left one X1 and I'm running H on this left one and that is my final output okay so this is a new family H prime and I guess this might be a bit confusing at this point so let's just see it again with a picture so this is the same construction okay this is the code of the construction so I'm going to the input is R and R is L bits where L is the amount of random coins that the adversary A uses so I don't know how much it uses it's some polynomial many and this I call it as L and then I run I use this I run A and I get a tupper X1 X2 but I'm taking only the left side okay so this would be X1 and then I'm applying my H here and I'm getting Y so this is the construction of H prime now what can we do so we assume that distributional collision resistant hash do not exist so there's another adversary A prime that can break H prime as a distributional collision resistant hash okay so now we're going to use A prime and A in order to find a 3 collision with respect to our original hash function H so this is what we do so how does the algorithm work it gets H as an input it defines H prime okay this is just a notation okay this is we define the hash from function H prime then we're going to run A prime okay the adversary for H prime and it will find two random strings R1 and R2 that collide under H prime we're going to use the first one we're going to run A we're going to get two elements X1 and X2 these elements are going to collide under H okay this is easy this we could do to begin with you just run the adversary on a random string it will get you a random collision but now we have this other value R2 so this is another random string note that R2 is not really a random string okay R1 is a random string and this is only a random string conditioned on colliding with R1 under H prime so it's not a random string it's an arbitrary string so I don't really know what happens when I run A on this arbitrary string but I run it it outputs X3 and X4 and then my final output is X1 X2 X3 and now I claim that these the elements are going to be a collision under H okay so I need to prove two things I need to prove that they collide under H and that they are distinct so the fact that they collide is actually easier so so we know that A is going to succeed with high probability okay so H of X1 is going to equal H of X2 and then we know that R2 is sampled to collide with R1 under H prime so just if you write this as definition you get this equation as H when the adversary with this random coins and this random coins collide which exactly means that H of X1 equals H of X3 because the output of this is X1 the output of this is X3 and we have that the hashes of the same so actually we have that the three collide know that I don't know anything about H of X4 I don't know that it's actually a collision with H of X3 okay now I want to claim that the three are distinct so here I'm going to use so the first fact is that since R1 was uniform then what we got here is actually a random collision so X1 and X2 are random and the probability of them being the same is very very small okay this is again because we said the set of pre-image is very large the hard part is to show Y is X3 different than X1 and X2 okay Y is this element must be different than X1 and X2 because R2 wasn't a random string so we're going to go back to the drawing of the construction so again A1 is the adversary that takes random coins and then output some X this is the left side and then we take this X and now we look at all the pre-image of Y and for each element in the pre-image we look at R of X1 which is all the random coins that make A output the element X1 okay and these are all the random coins that make A output the element X2 and all these are elements that go to Y and the probability that X3 equals X1 okay and you can do the same for X2 just to show that X3 is different than X1 is the probability that the random string R2 must be one of the random strings here okay this just means that it will output X1 so now I need to look at this mapping okay how does A act as a mapping between these two sets because A is an adversary for a DCRH the way it maps random to elements is very nice because it outputs a uniform distribution of collisions so this is not an arbitrary mapping but we have that roughly this size R X1 is equal to R X2 because the probability of X1 this is a uniform element so probability of X1 equals the probability of X2 so the number of random coins leading to X1 needs to be proportional to the number of random coins leading to X2 okay so we have here and now we know that R2 is a random string of length N conditioned on being a collision with R1 meaning it's either from this bubble here or maybe this bubble or any bubble that leads to one of these sets in the the pre-images of Y okay so and this is a large set so we have exponentially many such big bubbles and the probability of R2 being in any specific one of them is equal because it's a random string conditioned on being in one of the bubbles that lead to an element here so the probability of it being just exactly in R X1 is equal to the probability of R X2 and such we have many this probability is very small but what we get is that X3 is going to be different, this probability is very very small and X3 is going to be different than X1 and the same holds for X2 so I know this is a bit complicated but really this is the whole proof and this was for a 3 MCRH okay what happens if I want to prove for a 4 MCRH so remember already the proof broke down because I didn't know what to do with X4 but if you look what we did we said that okay if A can find a random collision then this new algorithm that we built can find a 3-way collision and actually the way the proof worked is by showing that we found a random 3-way collision that's why they were all distinct because they're actually random elements conditioned and colliding so now we can do this recursively and we can use this algorithm as our starting point that finds a 3 random collision and construct a new algorithm that finds a random 4 collision okay this is going to be really the exact same way and you can do this from K to K plus 1 so this works and you have a major blow up in the running time of the construction and everything so you can apply it for any constant K but not more so again this was the summary of our construction and just to end with an open problem so we've shown that MCRH implies a distributional CRH what about going from distributional CRH to CRH as in the one-way function case so we don't know of any construction and also we could not be able to show a black box separation so both positive and negative result here would be interesting okay thank you