Randomization Techniques and Parallel Cryptography

1
Randomization Techniquesand Parallel
Cryptography
Yuval Ishai
Technion
2
The Basic Question
Dec(g(x,r)) f(x)
f
x
y
Sim(f(x)) ? g(x,r)
Enc(y)
Enc(y)
Variants perfect, statistical, computational

• g is a randomized encoding of f
• Nontrivial relaxation of computing f
• Hope
• g can be simpler than f
• (meaning of simpler determined by
  application)
• g can be used as a substitute for f

3
Applications at a Glance
Randomized encodings
Secure computation
Parallel cryptography
4
Rest of Tutorial

• Constructions of randomized encodings
• Different notions of simplicity
• Different flavors of encoding
• Information-theoretic
• Computational
• Applications
• Secure computation
• Parallel cryptography

5
Randomized Encoding - Syntax
z
y
g
f
r
x
x
random inputs
inputs
inputs
f(x) is encoded by g(x,r)
6
Randomized Encoding - Semantics

• Correctness f(x) can be efficiently decoded
  from g(x,r).

f(x) ? f(w) ?
g(x,U)
x
r
w
g(w,U)
r

• Privacy ? efficient simulator Sim such that
  Sim(f(x)) g(x,U)
• g(x,U) depends only on f(x)

f(x) f(w) ?
g(x,U)
x
r
w
g(w,U)

r
7
Notions of Simplicity - I

• Application minimal model for secure
  computation Feige-Kilian-Naor 94,

• 2-decomposability g((xA,xB),r)(gA(xA,r),gB(xB,r
  ))

r
gA(xA,r)
gB(xB,r)
8
Example sum

• f(xA,xB) xAxB (xA,xB? finite group G)

xB
xA
Alice
Bob
Carol
9
Example equality

• f(xA,xB) equality (xA,xB?finite field F)

xB
xA
Alice
Bob
Carol
10
Example ANY function

• f(xA,xB) xA ? xB (xA,xB?0,1)
• Reduction to equality xA ? 1/0, xB? 2/0
• General boolean f write as disjoint 2-DNF
• f(xA,xB) ?(a,b)f(a,b)1 (xAa ? xBb) t1?
  t2? ? tm

Exponential complexity
00000000000 ? 0
00000100000 ? 1
11
Notions of Simplicity - II

• Full decomposability g((x1,,xn),r)(g1(x1,r
  ),,gn(xn,r))
• Application Basing SFE on OT Kilian 88, ...

Dishonest Alice?
r
gn(xn,r)
12
Example iterated group product

• Abelian case
• f(x1,,xn)x1x2xn
• g(x, (r1,,rn-1))
• x1r1 x2r2 xn-1rn-1
  xn-r1--rn-1
• General case Kilian 88
• f(x1,,xn)x1x2 xn
• g(x, (r1,,rn-1))
• x1r1 r1-1x2r2 r2-1x2r3
  rn-2-1xn-1rn-1 rn-1-1xn

13
Example iterated group product
Encoding iterated group product ?1??2??3?
??m ? ?1r1 r1-1?2r2 r2-1?3r3
rm-1-1?m

• Every output bit of g depends on just a single
  bit of x
• Efficient fully decomposable encoding for every
  f?NC1

14
Notions of Simplicity - III

• Low degree g(x,r) vector of degree-d poly in
  x,r over F
• aka Randomizing Polynomials I-Kushilevitz
  00,
• Application round-efficient MPC
• Motivating observation Low-degree functions are
  easy to distribute!
• Round complexity of MPC protocols
  BGW88,CCD88,CDM00,
• Semi-honest model
• tltn/d ? 2 rounds
• tltn/2 ? multiplicative depth 1 ?log d?1
  rounds
• Malicious model
• Optimal t ? O(log d) rounds

15
Examples

• Whats wrong with previous examples?
• Great degree in x (degx1), bad degree in r
• Coming up
• Degree-3 encoding for every f
• Efficient in size of branching program

?RS5
16
Notions of Simplicity - IV

• Small locality
• Application parallel cryptography!
  Applebaum, I, Kushilevitz 04,
• Coming up encodings with locality 4
• degree 3, fully decomposable
• efficient in size of branching program

17
Parallel Cryptography
How low can we get?
poly-time
NC
log-space
NC1
AC0
NC0
18
Cryptography in NC0?

• Longstanding open question
• Håstad 87
• Impagliazzo Naor 89
• Goldreich 00
• Cryan Miltersen 01
• Krause Lucks 01
• Mossel Shpilka Trevisan 03
• Real-life motivation super-fast cryptographic
  hardware

19
Main Primitives
OWF
find x?f -1(y)
f
Uin
y f(Uin)
poly-time
PRG
Pseudorandom or Random?
f
f(Uin)
Uin
.
.

Uout
.
poly-time
20
Previous Work

• Positive results
• PRG in NC1, TC0 from factoring, discrete-log,
  lattices
• PRF in TC0 from number theoretic assumptions
  Naor Reingold 97
• Low-stretch PRG in AC0 from subset sum
  Impagliazzo Naor 89
• Goldreich 00 conjectured OWF in NC0

• Negative results
• No PRF in AC0 Linial Mansour Nisan 89
• No PRG, OWF in NC02 Goldreich 00, Cryan
  Miltersen 01
• PRG in NC03, NC04 ? low stretch CM01, Mossel
  Shpilka Trevisan 03

NC1
NC1
NC1
NC1
TC0
TC0
TC0
TC0
AC0
AC0
AC0
AC0
NC0
NC0
open
open
NC04
NC04
low stretch
NC03
NC03
NC02
NC02
NC02
NC02
PRG
OWF
21
Surprising Positive Result AIK04
Compile primitives in a relatively high
complexity class (e.g., NC1, NL/poly, ?L/poly)
into ones in NC0.
NC1 cryptography implied by factoring,
discrete-log, lattices ? essentially settles
open question
locality 4
OWF
NC1
NC1
NC1
NC1
factoring, discrete-log, lattices,
TC0
TC0
TC0
TC0
subset-sum
AC0
AC0
AC0
AC0
impossible
NC0
NC0
NC0
NC0
NC04
NC04
NC04
NC04
low stretch
NC03
NC03
NC02
NC02
NC02
NC02
PRG
OWF
22
Encoding a OWF
Thm. f(x) is a OWF ? g(x,r) is a OWF Proof
inverter B for g ? inverter A for f
g(x,r)z
f(x)y
g(x,r)z

• A succeeds whenever B succeeds
• Dec(z) Dec(g(x,r)) f(x)
• Dec(z) Dec(Sim(y)) y

• A generates a correct input distribution for B
• Sim(f(Un)) g(Un,Um)

23
Encoding a PRG

• Want f(x) is a PRG ? g(x,r) is a PRG
• Problems
• output of g may not be pseudorandom
• g may shrink its input
• Solution perfect randomized encoding
• respects pseudorandomness, additive stretch,
• stretch of g is typically sublinear even if that
  of f is superlinear
• most (not all) known constructions give
  perfectness for free

24
Additional Cryptographic Primitives

• General compiler also applies to
• one-way / trapdoor permutations
• collision-resistant hashing
• public key / symmetric encryption
• signatures / MACs
• commitments
• Caveat decryption / verification not in NC0
• But can commit in NC0 with decommit in
  NC0AND
• Applications coin-flipping, zero-knowledge,

25
Non-cryptographic PRGs

• e-biased generators
• Mossel Shpilka Trevisan 03 superlinear
  stretch in NC05
• Using randomized encoding linear stretch in
  NC03
• optimal locality, stretch

• PRGs for space-bounded computation

26
Remaining Challenge
Coming up

• How to encode complex f by g ? NC0?
• Observation enough to obtain const. degree
  encoding

• Locality Reductiondegree 3 poly over GF(2) ?
  locality 4 rand. encoding

f(x) T1(x) T2(x)
Tk(x)
27
3 Ways to Degree 3
1. Degree-3 encoding using a circuit
representation
28
Using circuit representation (contd.)
q1(x,y)0 q2(x,y)0 ... qs(x,y)0
deg.-2

• works over any field
• complexity exponential in circuit size

29
2. Degree-3 encoding using quadratic characters

• Let N2n, b length-N truth-table of f,
  FGF(q)
• Define p(x1,,xn, r)

• one polynomial
• huge field size

30
3. Perfect Degree-3 Encoding from Branching
Programs
BP(G, s , t, edge-labeling)
Gxsubgraph induced by x
t
s
mod-q NBP f(x) s-t paths in Gx (mod q)

• size of vertices
• circuit-size ? BP-size ? formula-size
• Boolean case q2.
• Captures complexity class ?L/poly

31
Perfect Degree-3 Encoding of BPs
Correctness f(x)det g(x,r1,r2)
1 0 1 0 0 1 0 0 0 1
1 0 0 0 1 0 0 0 1 0 0 0 1
1 0 1 0 0 1 0 0 0 1
1 0 0 0 1 0 0 0 1 0 0 0 1
-1 0 0 -1 0 0 0 -1 0
0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0
-1 0 -1 0 0 -1

Privacy
1 0 0 0 1 0 0 0 1 0 0 0 1
1 0 1 0 0 1 0 0 0 1
-1 0 -1 0 0 -1
1 0 0 0 1 0 0 0 1 0 0 0 1
1 0 1 0 0 1 0 0 0 1
g(x,r1,r2) ?
32
Proof of Lemma
-1 0 -1 0 0 -1
Lemma ? degree-1 mapping L x ?
s.t. det(L(x)) f(x).
Proof
A(x) adjacancy matrix of Gx (over FGF(q))
A IAA2 (I-A)-1
(-1)st ? det (I-A)t,s / det (I-A)
As,t
det (A-I)t,s
L(x) (A(x)-I)t,s
-1 0 -1 0 0 -1 0
0 0 -1 0 0 0 0 -1
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
L
A
33

• Thm. size-s BP ? degree 3 encoding of size O(s2)
• perfect encoding for mod-q BP (capturing ?L/poly
  for q2)
• imperfect for nondeterministic BP (capturing
  NL/poly)

34
(No Transcript)
35
Is 3 minimal?
36
Wrapping Up
Composition Lemma
37
From Branching Programs to Locality 4
poly-size BPs
f (1)
f (2)
f (l)

BP encoding
composition
g(1)
g(2)
g(l)
locality reduction
h(1)
h(2)
h(l)
concatenation
h
locality 4
38
Computationally Private Encodings

• Known f ? NC1, ?L ? encoding in NC0
• Goal f ? P ? encoding in
  NC0
• Idea relax encoding requirement
• Respects security of most primitives
• Thm f ? P ? computational encoding in NC04
  assuming easy PRG (min-PRG ? ?L)

• Easy PRG can be based on factoring,
  discrete-log, lattices

39
Tool Yaos Garbled Circuit Yao86
Gives rise to a randomized encoding g(x,(ki,b,r))
(ki,xi)i1..n , garbled circuit
40
Garbled Circuit Construction
1-key
0-key
1-key
1-key
0-key
0-key

• Pair of randomly colored keys for each wire
• For each input wire, key corresponding to its
  value is revealed
• Color semantics of output wires are revealed
• Garbled gates

41
Garbled Circuit Construction

• Implementing locks
• (one-time) symmetric encryption
• ? computational privacy, works for any
  circuit
• one-time pads
• ? information-theoretic privacy, efficient
  only for log-depth circuits

1-key
0-key
1-key
1-key
0-key
0-key

• Pair of randomly colored keys for each wire
• For each input wire, key corresponding to its
  value is revealed
• Color semantics of output wires are revealed
• Garbled gates

42
Thm. easy PRG ? encoding in NC0 for all f?P
f ? P
g?NC0
g?NC0min-PRG
one-time symmetric encryption
Yao garbled circuit
g??L
h?NC04
easy PRG
AIK04
43
App 1 Relaxed Assumptions for Crypto in NC0

• Using encoding

perfect
comp.
OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit N
IZK
OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit N
IZK
Assuming easy PRG
Sym-Enc PK-Enc Signature Commit NIZK
Sym-Enc PK-Enc Signature Commit NIZK
? NC0
?
? ?L
exist
44
App 2 Parallel Reductions Between Primitives

• Proof given code of min-PRG
• Construct f ? Pmin-PRG via known reduction
• Use code of f to construct g ? NC0min-PRG
• Note non-black-box reduction!

• What about NC reductions?
• Much less is known.
• New

• Thm. All are equivalent under poly-time reductions

Blum Micali 82, Yao 82, Levin 85, Goldreich
Krawczyk Luby 88, Håstad Impagliazzo Levin Luby
90, Goldreich Micali 84, Goldreich Goldwasser
Micali 84, Goldwasser Micali Rivest 84, Bellare
Micali 88, Naor Yung 89, Rompel 90, Naor 89,
Impagliazzo Luby 89,
NR
NC1
Sym-Enc
PRF
Synthesizer
HILL Viola AIK
NC0
NC0
Regular OWF
min-PRG
Signature
PRG
OWF
Naor
NC0
NC0
Commit
45
App 3 Secure Multiparty Computation

• In case you dont insist on unconditional
  security
• Securely evaluating an arbitrary function f
  efficiently reduces to securely evaluating deg-3
  polynomials
• assuming an easy PRG
• In particular
• Basic MPC protocols (e.g., BGW) imply
  constant-round computationally secure MPC for
  every f.
• Known assuming any PRG BMR90,DI05 however,
  current approach is simpler and can be made more
  efficient DI06.

46
Parallel Pseudorandom Generators
stretch
Pseudorandom or Random?
G
G(Uin)
Uin
Rand
Uout
Poly-time machine
47
PRGs - Parallelism vs. Stretch
complexity
stretch
poly-time
super linear
NC
linear
sub linear
Motivation parallel implementation of crypto
tasks (e.g., Naor commitment, stream cipher)
log-space
NC1
AC0
NC0
NC0l
l
48
Previous Work

• Positive results
• Super-Linear PRG from any PRG Goldreich Micali
  84
• Super-Linear PRG in NC1 from factoring Naor
  Reingold Rosen02, NR97
• Sub-Linear PRG in AC0 from subset sum
  Impagliazzo Naor 89
• Sub-Linear PRG in NC04 from any PRG in NC1 AIK
  04
• Sub-Linear PRG in NC03 from decoding random
  linear code AIK
• Linear PRG in NC04 from Linear PRG in NC0 AIK
  04

• Negative results
• No PRGs in NC02 Goldreich00, Cryan
  Miltersen01
• No Super-Linear PRG in NC03, NC04 CM01,
  MosselShpilkaTrevisan03
• Sub-Linear PRG Linear PRG Viola 05

BB
?
AC0
NC02 NC03 NC04 NC0 AC0 NC1 P
sub linear
linear
super linear















factoring
Open
subset sum/ rand linear code
impossible
PRG
49
New Results AIK06

• Algebraic assumption of Alekhnovich 03 ? LPRG
  in NC0
• LPRG in NC0 ? Inapproximability of MAX 3SAT.

Conclusion Algebraic assumption of Alekhnovich
03 ? Inapporximability of MAX 3SAT.
Already proven directly by Alekhnovich 03
NC02 NC03 NC04 NC0 AC0 NC1 P
sub linear
linear
super linear















Open
PRG
50
Crypto in NC0 and Inapproximability

• k-Constraint Satisfaction Problem
• X1 X3 ? X5 0
• X2 ?X3 ? X4 1
• .
• .
• .
• X2 X3 X4 1
• Q. how many of the constraints can be satisfied
  together?

• List of constraints over n variables x1,,xn
• Each constraint involves k variables

AIK06 If Lin-Stretch PRG in NC0. Then k-CSP
cannot be approximated better than some
multiplicative constant
Corollary of PCP ALMSS,AS92, Din06 If P?NP
Then k-CSP cannot be approximated better than
some multiplicative constant
51
G1(x)
Gm(x)
locality k G
x1
xn

• Suppose we have a .99-approximation alg. A for
  k-CSP.
• We break G as follows.
• Given y(y1,,ym)
• Run A on k-CSP instance Gi(x)yi, i1,,m.
• Output pseudorandom iff output ? .99m

52
On Linear-Stretch PRGs in NC0

• Can be constructed based on a previous assumption
  of Alekhnovich related to the hardness of
  decoding certain error-correcting codes AIK06.
• elementary proof of hardness of approximation!
• However Stronger hardness of approximation
  results based on same assumption already proved
  in Alekhnovich 03 (following Feige 02).
• Hope
• Construct Linear-Stretch PRG based on more
  standard assumptions.
• Strengthen hardness of approximation results.

53
Summary

• Different flavors of randomized encoding
• Motivated by different applications
• Secure computation
• Parallel cryptography
• Hardness of approximation?
• Simplest encodings outputs of form xirjrkrh
• Efficient perfect/statistical encodings for
  various complexity classes (NC1, NL/poly,
  modqL/poly)
• Algebraic approach
• Combinatorial approach information-theoretic
  garbled circuit
• Efficient computationally private encodings for
  all P, assuming Easy PRG.

54
Open Questions
Randomized encoding
Parallel crypto
MPC