## Universal One-Way Hash Functions via Inaccessible Entropy (2010)

### Cached

### Download Links

Citations: | 3 - 0 self |

### BibTeX

@MISC{Haitner10universalone-way,

author = {Iftach Haitner and Thomas Holenstein and Omer Reingold and Salil Vadhan and Hoeteck Wee},

title = {Universal One-Way Hash Functions via Inaccessible Entropy},

year = {2010}

}

### OpenURL

### Abstract

This paper revisits the construction of Universal One-Way Hash Functions (UOWHFs) from any one-way function due to Rompel (STOC 1990). We give a simpler construction of UOWHFs, which also obtains better efficiency and security. The construction exploits a strong connection to the recently introduced notion of inaccessible entropy (Haitner et al. STOC 2009). With this perspective, we observe that a small tweak of any one-way function f is already a weak form of a UOWHF: Consider F (x, i) that outputs the i-bit long prefix of f(x). If F were a UOWHF then given a random x and i it would be hard to come up with x ′ ̸ = x such that F (x, i) = F (x ′ , i). While this may not be the case, we show (rather easily) that it is hard to sample x ′ with almost full entropy among all the possible such values of x ′. The rest of our construction simply amplifies and exploits this basic property. With this and other recent works, we have that the constructions of three fundamental cryptographic primitives (Pseudorandom Generators, Statistically Hiding Commitments and UOWHFs) out of one-way functions are to a large extent unified. In particular, all three constructions rely on and manipulate computational notions of entropy in similar ways. Pseudorandom Generators rely on the well-established notion of pseudoentropy, whereas Statistically Hiding Commitments and UOWHFs rely on the newer notion of inaccessible entropy.

### Citations

8868 | Elements of information theory - Cover - 1991 |

740 | A pseudorandom generator from any one-way function - H̊astad, Impagliazzo, et al. - 1999 |

317 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...6060. ¶ Queens College, CUNY. E-mail: hoeteck@cs.qc.cuny.edu. Supported in part by PSC-CUNY Award #6014939 40.1 Introduction Universal one-way hash functions (UOWHFs), as introduced by Naor and Yung =-=[NY]-=-, are a weaker form of collision-resistant hash functions. The standard notion of collision resistance requires that given a randomly chosen function f R ← F from the hash family, it is infeasible to ... |

230 | Randomness is linear in space
- Nisan, Zuckerman
- 1996
(Show Context)
Citation Context ...igible ε. 4 4 The term “smoothed entropy” was coined by Renner and Wolf [RW], but the notion of smoothed min-entropy has commonly been used (without a name) in the literature on randomness extractors =-=[NZ]-=-. 5These smoothed versions of min-entropy and max-entropy can be captured quite closely (and more concretely) by requiring that the sample-entropy is large or small with high probability: Lemma 2.1. ... |

202 | Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...based on trapdoor functions (as might have been expected to be necessary due to the public-key nature of signature schemes). More recently, UOWHFs have been used in the Cramer–Shoup encryption scheme =-=[CS]-=- and in the construction of statistically hiding commitment schemes from one-way functions [HNO + , HRVW]. Naor and Yung [NY] gave a simple and elegant construction of UOWHFs from any one-way permutat... |

199 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...f statistically hiding commitment schemes from one-way functions [HNO + , HRVW]. Naor and Yung [NY] gave a simple and elegant construction of UOWHFs from any one-way permutation. Subsequently, Rompel =-=[Rom1]-=- gave a much more involved construction to prove that UOWHFs can be constructed from an arbitrary one-way function, thereby resolving the complexity of UOWHFs (as one-way functions are the minimal com... |

117 |
One-way functions are essential for complexity based cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ...t to show that when run on a random output Y of f, Inv produces an almost-uniform preimage of Y . This contradicts the one-wayness of f. Indeed, we only need f to be a distributional one-way function =-=[IL]-=-, whereby it is infeasible to generate almost-uniform preimages under f. Inaccessible Entropy ⇒ UOWHFs. Once we have a non-negligible amount of inaccessible entropy, we can construct a UOWHF via a ser... |

97 | Collision-Resistant Hashing: Towards Making UOWHFs Practical - Bellare, Rogaway - 1997 |

70 | On constructing locally computable extractors and cryptosystems in the bounded storage model
- Vadhan
(Show Context)
Citation Context ...0 we have ∑ ≤ Pr[X = xi] Pr xi R [HX(xi) ≥ log(|U|/τ)] ←X ≤ = τ. xi∈U:HX(xi)≥log(|U|/τ) − log(|U|/τ) |U| · 2 A Chernoff Bound for random variables with such exponentially vanishing tails follows from =-=[Vad]-=-, and it says that the probability that the sum deviates from the expectation by at least ∆ · (log(|U|/τ)) + 2τt is at most exp(−Ω(∆ 2 /t)) + exp(−Ω(τt)), provided τ ∈ [0, 1]. An appropriate choice of... |

45 | A Composition Theorem for Universal One-Way Hash Functions
- Shoup
- 2000
(Show Context)
Citation Context ... is a collision for F ′ x⊕x0 iff (x, x ⊕ x0 ⊕ x1) is a collision for F . It then follows quite readily that A breaks F with the same probability that A ′ breaks F ′ y. □ The following result of Shoup =-=[Sho]-=- (improving on [NY, BR]) shows that we can construct target collision-resistant hash functions for arbitrarily long inputs starting from one for a fixed input length. Lemma 5.6 (Increasing the input l... |

16 |
Smooth rényi entropy and applications
- Renner, Wolf
- 2004
(Show Context)
Citation Context ...ntropy (respectively, low entropy) if X is ε-close to some X ′ with H∞(X) ≥ k (resp., H0(X) ≤ k) for some parameter k and a negligible ε. 4 4 The term “smoothed entropy” was coined by Renner and Wolf =-=[RW]-=-, but the notion of smoothed min-entropy has commonly been used (without a name) in the literature on randomness extractors [NZ]. 5These smoothed versions of min-entropy and max-entropy can be captur... |

12 | Efficiency improvements in constructing pseudorandom generators from one-way functions - Haitner, Reingold, et al. - 2010 |

11 | Inaccessible entropy
- Haitner, Reingold, et al.
- 2009
(Show Context)
Citation Context ...hieved at each stage of the construction. In this paper, we give simpler constructions of UOWHFs from one-way functions, based on (a variant of) the recently introduced notion of inaccessible entropy =-=[HRVW]-=-. In addition, one of the constructions obtains slightly better efficiency and security. 1 More details of Rompel’s proof are worked out, with some corrections, in [Rom2, KK]. 11.1 Inaccessible Entro... |

10 | On constructing universal one-way hash functions from arbitrary one-way functions. IACR Cryptology ePrint Archive - Katz, Koo - 2005 |

9 | Amplifying collision resistance: A complexity-theoretic treatment - Canetti, Rivest, et al. - 2007 |

8 | Techniques for computing with low-independence randomness - Rompel - 1990 |

7 | Statistically hiding commitments and statistical zeroknowledge arguments from any one-way function - Haitner, Nguyen, et al. |

1 | Rompels Construction in Average-Case Complexity. Unpublished manuscript - Holenstein - 2009 |