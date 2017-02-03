Hacker News new | comments | show | ask | jobs | submit login
Why should hard be secure enough? Information and non-invertibility (diogomonica.com)
The concepts are a bit sloppy here. "Zero information" is a bit of hand waving which relies on the idea of having a uniform distribution on a set with infinite measure, which is not mathematically sound nor is it useful as an approximation.

All messages that you choose to transmit follow some probability distribution with each message having finite, nonzero probability. This is what the author gets wrong, on a very fundamental level. If this were not true, your messages would require an infinite number of bits to transmit.

Studies of the usefulness of hash functions are based on comparisons to an "ideal" hash function called a random oracle. The idea behind a random oracle is that you can't reverse it, but you can try to remember what outputs it gives for known inputs.

This "perfect hash function" has been extensively studied and still suffers from all of the flaws that the author mentions in this article. And yet people prove rather strong properties of cryptography systems under the random oracle assumption. So the author's criticisms, fortunately, have no bearing or relationship to real cryptography, because the good systems are already designed to be immune to such attacks.

I'm on mobile so I can't really give a play by play but the article is really based on nothing more than bad math.

If we have any probability distribution, that tells us something about x. If someone tells us that license plates numbers are uniformly distributed, we can pretend to be a license plate maker by sampling from a uniform distribution, and nobody else could tell the difference by looking at the license plate numbers we make.

Zero information is more like not knowing what probability distribution a variable comes from. Rather than hiding "what value does x take", we can hide "what probability distribution does x come from". That's one level up. (Then you could ask what the likelihood of x having a given probability distribution is, and so on -- zero information is having none of this information, all the way up.)

Uniform distribution gives minimum information, assuming the range is known. Any other distribution will give more information. Talking about information capacity of coded messages, here.

I think what you are saying when you use the phrase "zero information" is really "zero knowledge".

"...if we have zero information concerning the value of x, than we are also clueless in what concerns the value of, say, x^2"

But that is not true, we have -some- information concerning the value of x, namely that the value of x is equiprobable.

This article takes a very long time to make an elementary point: if x is a uniformly distributed random variable, f(x) is not a uniformly distributed random variable if f is non-linear.

Which is visualized nicely in these 20 second videos.

Non-linear transform of a random variable:

https://www.youtube.com/watch?v=hQjk4ClpuUk

Linear transform of a random variable:

https://www.youtube.com/watch?v=cKo6-DnIxCg

There are some technical issues with the article, but the point the author makes (hashes are imperfect since they carry some information, but it is really hard or even impossible to do something better) still stands.

One random (heh) thing that occurs to me reading this article is that if you are using hashing for security (e.g. password hashing, key derivation, ...) then what the author is calling "invertibility", i.e. there are few values in the input space that map to some value in the output space, is actually a good thing. All other things being equal, the more such input values there are, the more feasible collision/preimage attacks become. It seems clear that for these purposes, the information content of the output should be at least equal to that of the input.

I don't understand why the x^2 thing is interesting at all.

If I multiply x by 0, the distribution is now just 0.

If I take abs(x) now it is positive.

Are these confusing to anyone?

It's confusing to me why the author is confused by these. As you say, he's literally saying "if I know nothing about x, then I should also know nothing about 0x". Wtf? No.

I think the confusion is between the idea that a hash function conveys zero information about the input, and the idea that you will have zero information about the input once seeing the output of the hash.

But if we move it out of math, it's easier to understand: if you have some guesses about x, and I tell you nothing, you have the same guesses about x. You don't stop having guesses.

In code:

i(x) = x // We know i is uniformly distributed just as x is - preserve "unknowability"

f(x) = x^2 // We know f has higher probability between [0,1] than [1,2]

g(x) = 1 // We know g is always 1.

Just because your inputs are random, doesn't mean your output is - the implementation matters.

... which is exactly what I said. What are you adding here?

While I like the style of writing very much, I don't like the pseudo-scientific take on the 'problem'.

In any probability class, you will learn that you can't have an uniform distribution on an infinite set.

Nitpicking, but you can have a uniform distribution on the unit interval, which is infinite :). What you cannot have is a uniform distribution on an unbounded set.

Mathematician here. You can't have a uniform distribution on a set with infinite measure. Unbounded sets are fine as long as they have finite measure.

Well, I was criticising the article in a condescending way, on very similar grounds, so you make a fair point ;)

It's an interesting exercise in measure to figure out what falls apart between a uniform distribution on [0,1] and the lack of one on [0, inf]. (Adding a point at infinity to compactify the set, which makes the two intervals topologically equivalent.)

To elaborate, the reason topological equivalence doesn't help here is because probability is defined in terms of measure spaces, not topological spaces.

Which aspect of the writing style appealed to you?

diogomonicapt writes "Light does not travel at the speed of light (no pun intended) because it is hard for it to do otherwise. No. It travels (and does so at that particular speed), because it is impossible for light to do otherwise."

Actually,the speed of light in a vacuum is an upper bound. The actual speed of light can be substantially slower. https://en.wikipedia.org/wiki/Slow_light

Some cosmological theories do not require the speed of light to be constant and fixed, and replace that axiom with requirements on the relationship of the speed of light with other physical parameters.

He didn't say "the speed of light in a vacuum", he just said "the speed of light". And in the next sentence he said

> … it is simply not possible for light to be still, or even propagate at a different speed in the same medium.

So he's already acknowledged the fact that the speed of light depends on the medium. His point, though, is that light must still travel at this speed (even though the speed itself depends on the medium).

A good hash function doesn't, and cannot, ensure that you have no information about the input. It can't take information away from you.

A good hash function ensures that, whatever information you have about the input, you have no more information upon seeing the hash. If you believe x is equiprobable over some range, seeing H(x) should cause you to continue to believe it's equiprobable over that range. If you believe x is the square of some random variable y which is equiprobable in some range, seeing H(x) won't convince you that x is equiprobable!

If your prior for x is equiprobable over the space of Microsoft Word documents confessing to high treason and 0 probability elsewhere, seeing H(x) won't tell you which Word document it is, but it certainly won't cause you to believe that it might be an MP3, either.

