 Okay, hi. Thank you. This is a joint work with near if tach and illan and First thank you all for staying for the last talk of the conference. I really appreciate it And so this is a talk about hashing and I want to start this talk with my favorite quote Ask less cover hash function and it's less likely to disappoint you okay, this is And the meaning is that there is no right notion of a security of a hash function And this really depends on the application so we have a lot of applications of hash functions and for each you can You can get the application with different notion of security So let's start with the most basic notion of security. Okay, I'm I See most of you have seen something like this. There's a collision a recent hash function a CRH So this is going to be a family of hash functions age. Okay, so we have a family of functions Each function in the family is so you can officially sample a function from the family The functions are efficiently computable They have to be compressing. Okay, if your hash function is not compressing. Maybe that's not too big challenge And what is the security? So the security is formalized with this game Okay, this is this very simple game. We have a challenger He just sends a random age from the family and the adversary needs to return x1 and x2 And we say that the adversary wins if h of x1 equals h of x2 and of course They are different. Okay, they're not the same value. So this is the standard notion of of a collision of this and hash Okay, I want to talk about Distributional collision resistant hash. So this was a notion first defined by the brother Nishai So we still have this family of hash functions. Okay, and it's still efficiently sampleable and computable Notice that here you can talk about compressing But actually it makes sense even to talk about a non-compressing Functions as long as they have some collisions Okay, and we'll see and the security requirement is different So the game looks very similar. We send h and the adversary needs to Response with x1 and x2 Okay, but now he wins if this pair x1 and x2 is actually a random collision So not an arbitrary collision, but a random collision and I'm gonna explain what I mean by this So think of the formal Mental experiment. Okay, I'm defining some random variable they call h It samples a uniform random x1. Okay, so x1 is uniformly at random. Then I'm gonna sample x2 Conditioned on colliding with x1 So x2 is gonna be uniform from all the pre images of h of x1 and then I'm gonna output x1 x2 This is what I'm gonna call a random collision Okay, you can notice that x1 might equal x2. Okay, this might happen depends on the size of the pre-image of x1 And now We're gonna say that a family h is a distribution of collision resistant hash function If no adversary can come close to sampling a random collision where close is close to this Distribution so there must exist some polynomial such for every adversary These two distributions are one of our polar part So the distribution of a random collision and the distribution that the adversary can output. Okay, so going back The definition here is that x1 and x2 He wins if they are close close in statistical distance to this random collision Okay, so this is a much harder task for the adversary and this primitive is much weaker So a few fun facts about DCR8 distributional CRH So first of all I'm introducing a very different context of the random sense complexity of sampling efficient sampling as I said by the world of which I a long time ago already 2006 and You can say that they are Not very collision resistance. Okay. These are very weak security notion in particular It might be possible that you have an algorithm that can sample from the set of all collisions Okay, so this algorithm can find all collisions in this hash function just not in the uniform distribution So with some skewed distribution and this algorithm still doesn't break the security of the hash function Okay, so it's a very weak definition of security It's analogous to if you know Distributional version of one-way functions And actually also implies distribution of one-way functions Where the adversary needs to not only find an arbitrary inverse of the one-way function But a random inverse of the one-way function Impoliates and will be showed that these two notions of are actually existential equivalent So the existence of one implies the existence of the other and This seems not to be the case with collision resistant hashing They are actually black box separated from one-way functions or even one-way permutations and even one-way permutations with indistinguishability of huscation and the proof is very simple take any black box separation that you know that separates a CRH from something and you just observe that it actually Separate a DCRH from the same primitive So the same black box separations that work for CRH the oracle there actually samples a random Collision and not an arbitrary collision. So they just work as is Okay, so let's try to put Some a map of what we know. So we have DCRH now. This is the focus is in the center of this map and Trivially if you have a CRH this implies a DCRH. So if you cannot find any collision, you cannot find a random collision This is trivial and as we said they imply one-way functions and this dotted line means that they're actually black box separated from one-way functions Okay in a previous work With illa and we talked about this notion of multi collision resistant hash That in the quantum session yesterday. They talked about also Where the task is to actually find k distinct elements that all hash to the same value and We show that You cannot build a DCRH from an mcrH in a black box manner and then we also gave a construction that is non-black box And in the same work, we also gave a construction from SDK. This is statistical zero knowledge. I'm not going to define it It's not too important for this talk And but we also gave a DCRH from SDK So we have all these constructions of DCRH and this makes sense because they have such a weak security and The question is what can we get from a DCRH? What meaningful application can we get from this? weak definition of a security of a hash function Okay, so we ask the question does the power of of distribution of collision-resistant hash go beyond one-way functions And the answer is yes, and that's it. No, okay So our main result so we show that DCRH implies a constant round statistically hiding commitment scheme Okay, so these are our commitment schemes where are performed in a constant many rounds and they're statistically hiding Okay, so this receiver even an unbounded receiver cannot cannot know what the message is and Sensory reduction is actually black box this shows that the power of DCRH goes beyond one-way functions because of Previous result of heighten it all showing that you cannot get constant rounds to see hiding commitments from one-way functions in a black box manner To complement this result We show that if you have a two message Statistically hiding commitment scheme. This actually implies a DCRH Okay, so this is a very weak equivalence of these commitment schemes and DCRH So let's go back to our picture and make it more complicated Okay, we have this constant round Commitments, so this is this work and we also have this black book separation We have two message commitments. Okay, that imply DCRH and now if this is not complicated enough, let's add some more arrows Okay, so from CRH. We already know how to build two round and statistically hiding commitments in Some previous work it was shown that MCRH can actually be used to construct constant round commitments and As you can see we get actually a new corollary So from statistical zero knowledge you get DCRH and then you get constant round commitments So we get this corollary that statistical zero knowledge implies constant round commitments Now some of you might be puzzled at this point Okay, so this is our former corollary and ask Wait, wasn't this thing known already? So it has been regarded in some previous work, which I won't name as a full-claw result But actually we look very hard and we could not find any published proof of this corollary the closest you can get is a Is a paper by on Vadan showed that statistical zero knowledge imply instance dependent commitments These are commitments that are either statistically hiding or statistically binding depending on the instance and Additionally, we give a direct proof of this corollary that doesn't go through the DCRH Okay, really a direct construction from SDK to to commitments constant round commitments Okay So what is the outline of what I want to show? So as he came price DCRH this was known already In a paper by Heitner and I'll they introduce this notion of inaccessible entropy that I'm gonna talk about and they show that if you Have an accessible entropy you get constant round statistic hiding commitments So the missing link is actually showing that DCRH implies this notion of inaccessible entropy and in addition we have this direct proof that Doesn't go through this long line of reductions Okay, so I want to Introduce this notion of inaccessible entropy and I'll do this by this Example the notion is a bit complicated. We'll just see an example and I hope you understand So how would I get a commitment scheme for a CRH? So this is very easy The receiver just sends the the hash function. I'm gonna send a hash of this random value X and This is gonna be a commitment to this X and it's not completely hiding X But it's a short commitment and it's known how to get a statistic hiding commitments for a short commitment So let's just focus on the short commitment and then to open I just Revealed this this message X. This is a very trivial scheme Okay, and to see the binding it's very easy, you know, the adversary cannot open to two different x's Otherwise, he founds a collision What happens now if I replace this hash function with a distributional? CRH So the adversary can not only open to some x prime He can actually open to all the x primes that are a pre-image of H of X Okay, so you really get No security at all in this scheme but still we claim that there is some form of weak binding here and So I'm gonna assume throughout that this Function H is regular meaning every image has the same number of pre-images. This is just for the simplicity of me presenting it So if H of X was uniform Then the adversary cannot open to a uniform X Because if he opened if H of X is uniform and he opened to a uniform X He actually found a uniform collision a random collision So we do have some weak weak notion of binding here And in particular the adversary must choose between two types of entropy loss Either he has entropy loss in the first message and he doesn't send the uniform why? Or he has entropy Entropy loss in the second message where he doesn't send the uniform X a uniform that is Conditioned on colliding with why? Okay, and this is exactly is captured by this notion of inaccessible entropy so that the idea is we have this generator we have some polynomial time algorithms that's gonna generate outputs and We say that we have inaccessible entropy if the real entropy, okay? Meaning the entropy that an outsider observer sees is gonna be bigger than the accessible entropy of the generator and To explain this let's see an example So I have this generator and it gets this hash function h. Let's just assume these are public parameters I'm not gonna count this in the entropy So it samples a random X and it outputs H of X. This is why Okay, and then it samples X. What is that the the entropy of this generator? Okay from somebody that looks outside that the output of this generator, so we have the entropy of the first message, okay? plus that Plus the entropy of X conditioned on the previous message Okay, and the previous block so the first y is just n minus k bits Okay, because we assume this is random and then X conditioned at y is an additional x bits and we get the n bits of entropy If we look at the coolie if h is collision resistance and you look from the perspective of This generator g even even a cheating generator g then once he output it y there is no more entropy in X Okay, so he has a entropy on the first message, but conditioned on what he knows already There was no entropy for the second message That can be consistent Pre-image, so this means that even if you take a Three minutes, okay, even if you take a cheating generator No matter it has samples some randomness s1 and output some y I don't know what he did. Maybe he didn't sample an X and output H of X Okay, and then he uses some randomness and s2 and output and output some x that is in the pre-image of Y then the real entropy is the same Okay, but the accessible entropy now is the entropy of y The entropy of y plus the entropy of X conditioned on y and the randomness s1 Okay, and this is the crucial part and for any efficient generator There's no more entropy for the second if I conditioned on the randomness of the first message The second message has no way has no more entropy and this is why we have inaccessible entropy and Really now just to close the proof. Let's replace the CRH with this CRH Okay, and we see this still there the real entropy is exactly the same But now we have some weak notion of of a of inaccessible entropy because from a from a cheating g X can be quite random Quite random, but it has to be still statistically far from y and y as a random Pre-image and if you're statistically far from random variable Then you have less entropy than this if you're statistically far from a uniformly random variable you you have less entropy than this Random variable. Okay, and this is actually the heart of the proof is showing is showing this The proof is a bit technical Uses tools from a information theory There's a big difference between we have to deal with Shannon entropy as opposed to a CRH or MCRH Which have a guarantee on the max entropy? So I don't have much time. I'm gonna skip this So the second result is a Two measures statistically hiding commitments imply DCRH And I don't have much time. So I'm gonna skip the proof the proof is quite easy And I just want to conclude with some open problems So different notions of collision resistance imply different notions of inaccessible entropy if you have a CRH You really have zero max entropy just the support of X's that you can open to after you're committed to y Is it's only the same X that you chose? So really you have zero max entropy. Okay, you can maybe guess so it's close to zero, but it's miserable If you have and then you get succinct to line to a two-man two round the commitment schemes Okay, so these are statistically hiding commitments. They're always also succinct. They're very small much shorter than what you want to commit to and these have many applications if you have a MCRH a multi-collision resistant hash then the adversary might be able to open to X1 X2 X3 X4 But he has some finite list Okay, so still you have some strong guarantee and the support size of what he can open to and this gives you a strong Guarantee and the and the max entropy that it's not zero, but it's quite small and We have shown in previous world that this is actually also implies a short a commitment scheme It's now not two messages. It's gonna be constant messages If you go below this line, you have a DCRH Which implies the most weakest a notion of entropy this is it's almost maximum Just a bit less than maximum and this is channel entropy and this is work We show that this implies a constant round commitment scheme, but not succinct and There's two main open questions here first you can go over this Scale and see what different notions of hash gives you different notions of a of entropy and What applications you can get from from each such notion and the second question is where is this line? What is the minimal a security requirement on a hash? That you can get succinct constant round commitments Okay, thanks. Do you have any questions and so maybe I have a people want to go home not yet So if you the DCRH just in particular means that you cannot enumerate always all collisions, right? Because otherwise I could just output all collisions and pick around them one So that would would be a DCRH So doesn't that mean that it's in some sense like about you know MCRH already because you can only output You can't so you can't really enumerate over all of them. You can sample from all of them But not with the right distribution. So yeah, but in particular you cannot enumerate And if you cannot enumerate or say 2 to the k collisions, it means what is it? You cannot specify I and get like the ice collision This is something but if k is small then okay, then it's a MCRH where you cannot output all 2 to the k collisions Only 2 to the k minus 1 and I'm not sure probably doesn't okay. Yeah, so I think you have many collisions Okay, like you need to sample over all x and then all pre-images So it's not just a fixed y and then just enumerate over all pre-images I mean, this is this is very elegant and I Assume I mean please tell me if I'm wrong that currently we don't probably have like some natural hardness assumption or a problem which is believed to be DCRH But it's like definitely not CRH Is there some Direction or some kind of Notion of some variant of collision What do you mean we have like a SDK implies DCRH and it's not known to know to imply any other Form of as a complacency close, but I'm saying do we actually have like some construction relatively maybe I don't know I don't know if relatively natural note, but something which is So as a case my best example, you know from DDH and stuff like that. We know how to build CRH But but this SDK you're saying does it give you at least some theoretical kind of construction which is believed to be I mean from which we so you're saying SDK in general I'm just trying to see if it exists a hard-on-average problem in SDK then you have this DCRH and I think so saying that I don't think it applies here. It's like we're far from All that I was just saying in general along these directions. I mean to me it would be interesting to Kind of see I don't know assumption, but some kind of you know hash functions are really hard to construct At least this kind of probable security is there some kind of notional direction I don't know if it's DCRH or something where maybe it's guided by practice where there are some kind of designs which Need to be much harder to be collision resistance, but might be good enough for some hardness Okay Okay, so if there are no more questions, let's thank the speakers of this session and also the And also the organizers of Mark Fischlin and his team and the PC and the program chairs Let's give them a round of applause and see you next year