Title: Randomization Techniques and Parallel Cryptography
1Randomization Techniquesand Parallel
Cryptography
Yuval Ishai
Technion
2The Basic Question
Dec(g(x,r)) f(x)
f
x
y
Sim(f(x)) ? g(x,r)
Enc(y)
Enc(y)
Variants perfect, statistical, computational
- g is a randomized encoding of f
- Nontrivial relaxation of computing f
- Hope
- g can be simpler than f
- (meaning of simpler determined by
application) - g can be used as a substitute for f
3Applications at a Glance
Randomized encodings
Secure computation
Parallel cryptography
4Rest of Tutorial
- Constructions of randomized encodings
- Different notions of simplicity
- Different flavors of encoding
- Information-theoretic
- Computational
- Applications
- Secure computation
- Parallel cryptography
5Randomized Encoding - Syntax
z
y
g
f
r
x
x
random inputs
inputs
inputs
f(x) is encoded by g(x,r)
6Randomized Encoding - Semantics
- Correctness f(x) can be efficiently decoded
from g(x,r).
f(x) ? f(w) ?
g(x,U)
x
r
w
g(w,U)
r
- Privacy ? efficient simulator Sim such that
Sim(f(x)) g(x,U) - g(x,U) depends only on f(x)
f(x) f(w) ?
g(x,U)
x
r
w
g(w,U)
r
7Notions of Simplicity - I
- Application minimal model for secure
computation Feige-Kilian-Naor 94,
- 2-decomposability g((xA,xB),r)(gA(xA,r),gB(xB,r
))
r
gA(xA,r)
gB(xB,r)
8Example sum
- f(xA,xB) xAxB (xA,xB? finite group G)
xB
xA
Alice
Bob
Carol
9Example equality
- f(xA,xB) equality (xA,xB?finite field F)
xB
xA
Alice
Bob
Carol
10Example ANY function
- f(xA,xB) xA ? xB (xA,xB?0,1)
- Reduction to equality xA ? 1/0, xB? 2/0
- General boolean f write as disjoint 2-DNF
- f(xA,xB) ?(a,b)f(a,b)1 (xAa ? xBb) t1?
t2? ? tm
Exponential complexity
00000000000 ? 0
00000100000 ? 1
11Notions of Simplicity - II
- Full decomposability g((x1,,xn),r)(g1(x1,r
),,gn(xn,r)) - Application Basing SFE on OT Kilian 88, ...
Dishonest Alice?
r
gn(xn,r)
12Example iterated group product
- Abelian case
- f(x1,,xn)x1x2xn
- g(x, (r1,,rn-1))
- x1r1 x2r2 xn-1rn-1
xn-r1--rn-1 - General case Kilian 88
- f(x1,,xn)x1x2 xn
- g(x, (r1,,rn-1))
- x1r1 r1-1x2r2 r2-1x2r3
rn-2-1xn-1rn-1 rn-1-1xn
13Example iterated group product
Encoding iterated group product ?1??2??3?
??m ? ?1r1 r1-1?2r2 r2-1?3r3
rm-1-1?m
- Every output bit of g depends on just a single
bit of x - Efficient fully decomposable encoding for every
f?NC1
14Notions of Simplicity - III
- Low degree g(x,r) vector of degree-d poly in
x,r over F - aka Randomizing Polynomials I-Kushilevitz
00, - Application round-efficient MPC
- Motivating observation Low-degree functions are
easy to distribute! - Round complexity of MPC protocols
BGW88,CCD88,CDM00, - Semi-honest model
- tltn/d ? 2 rounds
- tltn/2 ? multiplicative depth 1 ?log d?1
rounds - Malicious model
- Optimal t ? O(log d) rounds
15Examples
- Whats wrong with previous examples?
- Great degree in x (degx1), bad degree in r
- Coming up
- Degree-3 encoding for every f
- Efficient in size of branching program
?RS5
16Notions of Simplicity - IV
- Small locality
- Application parallel cryptography!
Applebaum, I, Kushilevitz 04, - Coming up encodings with locality 4
- degree 3, fully decomposable
- efficient in size of branching program
17Parallel Cryptography
How low can we get?
poly-time
NC
log-space
NC1
AC0
NC0
18Cryptography in NC0?
- Longstanding open question
- HÃ¥stad 87
- Impagliazzo Naor 89
- Goldreich 00
- Cryan Miltersen 01
- Krause Lucks 01
- Mossel Shpilka Trevisan 03
- Real-life motivation super-fast cryptographic
hardware
19Main Primitives
OWF
find x?f -1(y)
f
Uin
y f(Uin)
poly-time
PRG
Pseudorandom or Random?
f
f(Uin)
Uin
.
.
Uout
.
poly-time
20Previous Work
- Positive results
- PRG in NC1, TC0 from factoring, discrete-log,
lattices - PRF in TC0 from number theoretic assumptions
Naor Reingold 97 - Low-stretch PRG in AC0 from subset sum
Impagliazzo Naor 89 - Goldreich 00 conjectured OWF in NC0
- Negative results
- No PRF in AC0 Linial Mansour Nisan 89
- No PRG, OWF in NC02 Goldreich 00, Cryan
Miltersen 01 - PRG in NC03, NC04 ? low stretch CM01, Mossel
Shpilka Trevisan 03
NC1
NC1
NC1
NC1
TC0
TC0
TC0
TC0
AC0
AC0
AC0
AC0
NC0
NC0
open
open
NC04
NC04
low stretch
NC03
NC03
NC02
NC02
NC02
NC02
PRG
OWF
21Surprising Positive Result AIK04
Compile primitives in a relatively high
complexity class (e.g., NC1, NL/poly, ?L/poly)
into ones in NC0.
NC1 cryptography implied by factoring,
discrete-log, lattices ? essentially settles
open question
locality 4
OWF
NC1
NC1
NC1
NC1
factoring, discrete-log, lattices,
TC0
TC0
TC0
TC0
subset-sum
AC0
AC0
AC0
AC0
impossible
NC0
NC0
NC0
NC0
NC04
NC04
NC04
NC04
low stretch
NC03
NC03
NC02
NC02
NC02
NC02
PRG
OWF
22Encoding a OWF
Thm. f(x) is a OWF ? g(x,r) is a OWF Proof
inverter B for g ? inverter A for f
g(x,r)z
f(x)y
g(x,r)z
- A succeeds whenever B succeeds
- Dec(z) Dec(g(x,r)) f(x)
- Dec(z) Dec(Sim(y)) y
- A generates a correct input distribution for B
- Sim(f(Un)) g(Un,Um)
23Encoding a PRG
- Want f(x) is a PRG ? g(x,r) is a PRG
- Problems
- output of g may not be pseudorandom
- g may shrink its input
- Solution perfect randomized encoding
- respects pseudorandomness, additive stretch,
- stretch of g is typically sublinear even if that
of f is superlinear - most (not all) known constructions give
perfectness for free
24Additional Cryptographic Primitives
- General compiler also applies to
- one-way / trapdoor permutations
- collision-resistant hashing
- public key / symmetric encryption
- signatures / MACs
- commitments
-
- Caveat decryption / verification not in NC0
- But can commit in NC0 with decommit in
NC0AND - Applications coin-flipping, zero-knowledge,
25Non-cryptographic PRGs
- e-biased generators
- Mossel Shpilka Trevisan 03 superlinear
stretch in NC05 - Using randomized encoding linear stretch in
NC03 - optimal locality, stretch
- PRGs for space-bounded computation
26Remaining Challenge
Coming up
- How to encode complex f by g ? NC0?
- Observation enough to obtain const. degree
encoding
- Locality Reductiondegree 3 poly over GF(2) ?
locality 4 rand. encoding
f(x) T1(x) T2(x)
Tk(x)
273 Ways to Degree 3
1. Degree-3 encoding using a circuit
representation
28Using circuit representation (contd.)
q1(x,y)0 q2(x,y)0 ... qs(x,y)0
deg.-2
- works over any field
- complexity exponential in circuit size
292. Degree-3 encoding using quadratic characters
- Let N2n, b length-N truth-table of f,
FGF(q) - Define p(x1,,xn, r)
- one polynomial
- huge field size
303. Perfect Degree-3 Encoding from Branching
Programs
BP(G, s , t, edge-labeling)
Gxsubgraph induced by x
t
s
mod-q NBP f(x) s-t paths in Gx (mod q)
- size of vertices
- circuit-size ? BP-size ? formula-size
- Boolean case q2.
- Captures complexity class ?L/poly
31Perfect Degree-3 Encoding of BPs
Correctness f(x)det g(x,r1,r2)
1 0 1 0 0 1 0 0 0 1
1 0 0 0 1 0 0 0 1 0 0 0 1
1 0 1 0 0 1 0 0 0 1
1 0 0 0 1 0 0 0 1 0 0 0 1
-1 0 0 -1 0 0 0 -1 0
0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0
-1 0 -1 0 0 -1
Privacy
1 0 0 0 1 0 0 0 1 0 0 0 1
1 0 1 0 0 1 0 0 0 1
-1 0 -1 0 0 -1
1 0 0 0 1 0 0 0 1 0 0 0 1
1 0 1 0 0 1 0 0 0 1
g(x,r1,r2) ?
32Proof of Lemma
-1 0 -1 0 0 -1
Lemma ? degree-1 mapping L x ?
s.t. det(L(x)) f(x).
Proof
A(x) adjacancy matrix of Gx (over FGF(q))
A IAA2 (I-A)-1
(-1)st ? det (I-A)t,s / det (I-A)
As,t
det (A-I)t,s
L(x) (A(x)-I)t,s
-1 0 -1 0 0 -1 0
0 0 -1 0 0 0 0 -1
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
L
A
33- Thm. size-s BP ? degree 3 encoding of size O(s2)
- perfect encoding for mod-q BP (capturing ?L/poly
for q2) - imperfect for nondeterministic BP (capturing
NL/poly)
34(No Transcript)
35Is 3 minimal?
36Wrapping Up
Composition Lemma
37From Branching Programs to Locality 4
poly-size BPs
f (1)
f (2)
f (l)
BP encoding
composition
g(1)
g(2)
g(l)
locality reduction
h(1)
h(2)
h(l)
concatenation
h
locality 4
38Computationally Private Encodings
- Known f ? NC1, ?L ? encoding in NC0
- Goal f ? P ? encoding in
NC0 - Idea relax encoding requirement
- Respects security of most primitives
- Thm f ? P ? computational encoding in NC04
assuming easy PRG (min-PRG ? ?L)
- Easy PRG can be based on factoring,
discrete-log, lattices
39Tool Yaos Garbled Circuit Yao86
Gives rise to a randomized encoding g(x,(ki,b,r))
(ki,xi)i1..n , garbled circuit
40Garbled Circuit Construction
1-key
0-key
1-key
1-key
0-key
0-key
- Pair of randomly colored keys for each wire
- For each input wire, key corresponding to its
value is revealed - Color semantics of output wires are revealed
- Garbled gates
41Garbled Circuit Construction
- Implementing locks
- (one-time) symmetric encryption
- ? computational privacy, works for any
circuit - one-time pads
- ? information-theoretic privacy, efficient
only for log-depth circuits
1-key
0-key
1-key
1-key
0-key
0-key
- Pair of randomly colored keys for each wire
- For each input wire, key corresponding to its
value is revealed - Color semantics of output wires are revealed
- Garbled gates
42Thm. easy PRG ? encoding in NC0 for all f?P
f ? P
g?NC0
g?NC0min-PRG
one-time symmetric encryption
Yao garbled circuit
g??L
h?NC04
easy PRG
AIK04
43App 1 Relaxed Assumptions for Crypto in NC0
perfect
comp.
OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit N
IZK
OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit N
IZK
Assuming easy PRG
Sym-Enc PK-Enc Signature Commit NIZK
Sym-Enc PK-Enc Signature Commit NIZK
? NC0
?
? ?L
exist
44App 2 Parallel Reductions Between Primitives
- Proof given code of min-PRG
- Construct f ? Pmin-PRG via known reduction
- Use code of f to construct g ? NC0min-PRG
- Note non-black-box reduction!
- What about NC reductions?
- Much less is known.
- New
- Thm. All are equivalent under poly-time reductions
Blum Micali 82, Yao 82, Levin 85, Goldreich
Krawczyk Luby 88, HÃ¥stad Impagliazzo Levin Luby
90, Goldreich Micali 84, Goldreich Goldwasser
Micali 84, Goldwasser Micali Rivest 84, Bellare
Micali 88, Naor Yung 89, Rompel 90, Naor 89,
Impagliazzo Luby 89,
NR
NC1
Sym-Enc
PRF
Synthesizer
HILL Viola AIK
NC0
NC0
Regular OWF
min-PRG
Signature
PRG
OWF
Naor
NC0
NC0
Commit
45App 3 Secure Multiparty Computation
- In case you dont insist on unconditional
security - Securely evaluating an arbitrary function f
efficiently reduces to securely evaluating deg-3
polynomials - assuming an easy PRG
- In particular
- Basic MPC protocols (e.g., BGW) imply
constant-round computationally secure MPC for
every f. - Known assuming any PRG BMR90,DI05 however,
current approach is simpler and can be made more
efficient DI06.
46Parallel Pseudorandom Generators
stretch
Pseudorandom or Random?
G
G(Uin)
Uin
Rand
Uout
Poly-time machine
47PRGs - Parallelism vs. Stretch
complexity
stretch
poly-time
super linear
NC
linear
sub linear
Motivation parallel implementation of crypto
tasks (e.g., Naor commitment, stream cipher)
log-space
NC1
AC0
NC0
NC0l
l
48Previous Work
- Positive results
- Super-Linear PRG from any PRG Goldreich Micali
84 - Super-Linear PRG in NC1 from factoring Naor
Reingold Rosen02, NR97 - Sub-Linear PRG in AC0 from subset sum
Impagliazzo Naor 89 - Sub-Linear PRG in NC04 from any PRG in NC1 AIK
04 - Sub-Linear PRG in NC03 from decoding random
linear code AIK - Linear PRG in NC04 from Linear PRG in NC0 AIK
04
- Negative results
- No PRGs in NC02 Goldreich00, Cryan
Miltersen01 - No Super-Linear PRG in NC03, NC04 CM01,
MosselShpilkaTrevisan03 - Sub-Linear PRG Linear PRG Viola 05
BB
?
AC0
NC02 NC03 NC04 NC0 AC0 NC1 P
sub linear
linear
super linear
factoring
Open
subset sum/ rand linear code
impossible
PRG
49New Results AIK06
- Algebraic assumption of Alekhnovich 03 ? LPRG
in NC0 - LPRG in NC0 ? Inapproximability of MAX 3SAT.
Conclusion Algebraic assumption of Alekhnovich
03 ? Inapporximability of MAX 3SAT.
Already proven directly by Alekhnovich 03
NC02 NC03 NC04 NC0 AC0 NC1 P
sub linear
linear
super linear
Open
PRG
50Crypto in NC0 and Inapproximability
- k-Constraint Satisfaction Problem
- X1 X3 ? X5 0
- X2 ?X3 ? X4 1
- .
- .
- .
- X2 X3 X4 1
- Q. how many of the constraints can be satisfied
together?
- List of constraints over n variables x1,,xn
- Each constraint involves k variables
AIK06 If Lin-Stretch PRG in NC0. Then k-CSP
cannot be approximated better than some
multiplicative constant
Corollary of PCP ALMSS,AS92, Din06 If P?NP
Then k-CSP cannot be approximated better than
some multiplicative constant
51G1(x)
Gm(x)
locality k G
x1
xn
- Suppose we have a .99-approximation alg. A for
k-CSP. - We break G as follows.
- Given y(y1,,ym)
- Run A on k-CSP instance Gi(x)yi, i1,,m.
- Output pseudorandom iff output ? .99m
52On Linear-Stretch PRGs in NC0
- Can be constructed based on a previous assumption
of Alekhnovich related to the hardness of
decoding certain error-correcting codes AIK06. - elementary proof of hardness of approximation!
- However Stronger hardness of approximation
results based on same assumption already proved
in Alekhnovich 03 (following Feige 02). - Hope
- Construct Linear-Stretch PRG based on more
standard assumptions. - Strengthen hardness of approximation results.
53Summary
- Different flavors of randomized encoding
- Motivated by different applications
- Secure computation
- Parallel cryptography
- Hardness of approximation?
- Simplest encodings outputs of form xirjrkrh
- Efficient perfect/statistical encodings for
various complexity classes (NC1, NL/poly,
modqL/poly) - Algebraic approach
- Combinatorial approach information-theoretic
garbled circuit - Efficient computationally private encodings for
all P, assuming Easy PRG.
54Open Questions
Randomized encoding
Parallel crypto
MPC