Transcript sctut 6481

Randomization Techniques
and Parallel Cryptography
Yuval Ishai
Technion
The Basic Question
Dec(g(x,r)) = f(x)
x
f
y
Sim(f(x))  g(x,r)
decoder
simulator
x
r
g
• g is a “randomized encoding” of f
Enc(y)
Variants:
perfect, statistical,
computational
– Nontrivial relaxation of computing f
• Hope:
– g can be “simpler” than f
(meaning of “simpler” determined by application)
– g can be used as a substitute for f
Applications at a Glance
Randomized encodings
Secure computation
Parallel cryptography
Hardness of approximation
Rest of Tutorial
• Constructions of randomized encodings
– Different notions of simplicity
– Different flavors of encoding
• Information-theoretic
• Computational
• Applications
– Secure computation
– Parallel cryptography
Randomized Encoding - Syntax
y
z
f
g
x
inputs
x
r
inputs
random inputs
f(x) is encoded by g(x,r)
Randomized Encoding - Semantics
• Correctness: f(x) can be efficiently decoded from g(x,r).
f(x) ≠ f(w) 
g(x,U)
w
x
r
g(w,U)
r
• Privacy:  efficient simulator Sim such that Sim(f(x)) ≡ g(x,U)
– g(x,U) depends only on f(x)
f(x) = f(w) 
g(x,U)
w
x
r
r
g(w,U) ≡
Notions of Simplicity - I
• Application: “minimal model for secure computation”
[Feige-Kilian-Naor 94, …]
• 2-decomposability: g((xA,xB),r)=(gA(xA,r),gB(xB,r))
r
xA
xB
Alice
Bob
gA(xA,r)
gB(xB,r)
Carol
f(xA,xB)
Example: sum
• f(xA,xB) = xA+xB
(xA,xB finite group G)
rRG
xA
xB
Alice
Bob
xA+r
xB-r
Carol
mA+mB
Example: equality
• f(xA,xB) = equality
(xA,xBfinite field F)
r1RF \ {0} , r2RF
xA
xB
Alice
Bob
r1xA+r2
r1xB+r2
Carol
mA=mB ?
Example: ANY function
• f(xA,xB) = xA  xB (xA,xB{0,1})
– Reduction to equality: xA  1/0, xB 2/0
• General boolean f: write as disjoint 2-DNF
– f(xA,xB) = (a,b):f(a,b)=1 (xA=a  xB=b) = t1 t2 … tm
t1s
ts+1
t2 .....
tts-1
m
00000000000  0
00000100000  1
Exponential
complexity
Notions of Simplicity - II
• Full decomposability:
g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
– Application: Basing SFE on OT [Kilian 88, ...]
Dishonest
Alice?
r
xA
Alice
gA(xA,r)
gn(0,r) gn(1,r)
OT
xB
Bob
OT
OT
f(xA,xB)
OT
OT
xn
gn(xn,r)
Example: iterated group product
• Abelian case
– f(x1,…,xn)=x1+x2+…+xn
– g(x, (r1,…,rn-1)) =
… xn-1+rn-1 xn-r1-…-rn-1
x1+r1 x2+r2
• General case [Kilian 88]
– f(x1,…,xn)=x1x2 …xn
– g(x, (r1,…,rn-1)) =
x1r1 r1-1x2r2
r2-1x2r3 … rn-2-1xn-1rn-1 rn-1-1xn
Example: iterated group product
Thm [Barrington 86]
Every boolean fNC1 can be computed by a poly-length,
width-5 branching program.
1r1 r1-12r2
rm-1-1m
f(x1,…,xn) reduces to 12 …m where:
• i  S 5
• Eachfi depends on a single xj
g
•  distinct 0,1  S5 s.t. 12 …m = f(x)
x1 x2 … xn
x1 x2 … xn
r1 r2 ..…
rm-1
Encoding iterated group product
-1 r on
-1 ra single
-1of x
output
bit
of
g
depends
just
bit
• 1Every



…



r
r
r
…
r
2 3
m
1 1
1
2 2
2
3 3
m-1
m
 Efficient fully decomposable encoding for every fNC1
Notions of Simplicity - III
• Low degree: g(x,r) = vector of degree-d poly in x,r over F
– aka “Randomizing Polynomials” [I-Kushilevitz 00,…]
– Application: round-efficient MPC
• Motivating observation:
Low-degree functions are easy to distribute!
– Round complexity of MPC protocols
[BGW88,CCD88,CDM00,…]
• Semi-honest model
– t<n/d  2 rounds
– t<n/2  multiplicative depth + 1 = log d+1 rounds
• Malicious model
– Optimal t  O(log d) rounds
Examples
• What’s wrong with previous examples?
– Great degree in x (degx=1), bad degree in r
1r1 r1-12r2
f
x1 x2 … xn
• Coming up:
rm-1-1m
g
x1 x2 … xn
r1 r2 ..…
RS5
– Degree-3 encoding for every f
– Efficient in size of branching program
rm-1
Notions of Simplicity - IV
• Small locality:
x
r
– Application: parallel cryptography!
[Applebaum, I, Kushilevitz 04,…]
• Coming up: encodings with locality 4
– degree 3, fully decomposable
– efficient in size of branching program
Parallel Cryptography
How low can we get?
poly-time
NC
log-space
NC1
AC0
NC0
Cryptography in NC0?
• Longstanding open question
Håstad 87
Impagliazzo Naor 89
Goldreich 00
Cryan Miltersen 01
Krause Lucks 01
Mossel Shpilka Trevisan 03
• Real-life motivation: super-fast cryptographic hardware
• Tempting conjecture:
[CM]: Yes
“complex” function
crypto hardness
[G]: No
Main Primitives
OWF
find xf -1(y)
f
Uin
y = f(Uin)
poly-time
PRG
f
….
….
Uin
Pseudorando
m or
Random?
f(Uin)
….
Uout
poly-time
Previous Work
• Negative
results
Positive results
–
–
–
–
–
–
0 [Linial
1, TC
0 fromMansour
No
PRF
in AC
89]
PRG
in NC
factoring,Nisan
discrete-log,
lattices…
0
No
NC 2 [Goldreich
00, Cryan Miltersen
01]
0 fromin
PRFPRG,
in TCOWF
number
theoretic assumptions
[Naor Reingold
97]
0
0
PRG in NC 3, NC 4  low
stretch [CM01, Mossel Shpilka Trevisan 03]
Low-stretch PRG in AC0 from subset sum [Impagliazzo Naor 89]
• [Goldreich 00] conjectured OWF in NC0
factoring, discrete-log, lattices, …
NC1
NC1
subset sum
TC0
TC0
impossible
AC0
AC0
NC0
NC0
low stretch
NC04
open
NC04
NC03
NC03
NC02
NC02
PRG
OWF
open
Surprising Positive Result [AIK04]
Compile primitives in a “relatively high” complexity class
(e.g., NC1, NL/poly, L/poly) into ones in NC0.
NC1 cryptography implied by factoring, discrete-log, lattices…
locality 4
 essentially settles open question
OWF
factoring, discrete-log, lattices, …
subset-sum
impossible
low stretch
NC1
NC1
TC0
TC0
AC0
AC0
NC0
NC0
NC04
open
NC04
NC03
NC03
NC02
NC02
PRG
OWF
open
Encoding a OWF
Thm. f(x) is a OWF  g(x,r) is a OWF
Proof: inverter B for g  inverter A for f
y
Simulator
yR f(Un)
z
B
zR g(Un,Um)
A
x
(x,r)
g(x,r)=z
f(x)=y
prob p
prob p
• A succeeds whenever B succeeds
– Dec(z) = Dec(g(x,r)) = f(x)
– Dec(z) = Dec(Sim(y)) = y
Dec(g(x,r)) = f(x)
Sim(f(x))  g(x,r)
• A generates a correct input distribution for B
– Sim(f(Un)) = g(Un,Um)
Encoding a PRG
• Want: f(x) is a PRG  g(x,r) is a PRG
• Problems:
– output of g may not be pseudorandom
– g may shrink its input
• Solution: “perfect” randomized encoding
– respects pseudorandomness, additive stretch, …
– stretch of g is typically sublinear even if that of f is superlinear
– most (not all) known constructions give perfectness for free
Additional Cryptographic Primitives
• General compiler also applies to:
–
–
–
–
–
–
one-way / trapdoor permutations
collision-resistant hashing
public key / symmetric encryption
signatures / MACs
commitments
…
• Caveat: decryption / verification not in NC0…
– … But: can commit in NC0 with decommit in NC0[AND]
– Applications: coin-flipping, zero-knowledge, …
Non-cryptographic PRGs
• ε-biased generators
[Mossel Shpilka Trevisan 03]: superlinear stretch in NC05
– Using randomized encoding: linear stretch in NC03
• optimal locality, stretch
• PRGs for space-bounded computation
Remaining Challenge
Coming
up…
0
How to encode “complex” f by g  NC ?
• Observation: enough to obtain const. degree encoding
• Locality Reduction:
degree 3 poly over GF(2)  locality 4 rand. encoding
f(x) =
g(x,r,s) =
T1(x)
T1(x)+r1
+
T2(x)
T2(x)+r
2
–r1+s1
–s1 –r2 +s2
+
…
+
Tk(x)
…
Tk(x)+rk
…
–sk-1–rk
3 Ways to Degree 3
1. Degree-3 encoding using
a circuit representation
y
3
y
y
1
2
x
x
x
x
x
1
2
3
4
5
f(x)=1

 y1, y2 , y3
y1=NAND(x1 , x2)= x1(1-x2)+(1-x1)x2+(1-x1)(1-x2)
y2=NAND(x3 , x4)
y3=NAND(y1 , y2)
1 =NAND(y3 , x5)
Note:

! y1, y2 , y3
Using circuit representation (contd.)
q1(x,y)=
0
q2(x,y)=
0
...
qs(x,y)=0
deg.-2
g(x, y,r)= ri qi(x,y)
deg.-3
f(x)=0 
g(x,y,r) is uniform
f(x)=1 
g(x,y,r)  0 given y=y0, otherwise it is uniform
Statistical distance amplified to 1/2 by 2(s) repetitions.
•works over any field
•complexity exponential in circuit size
2. Degree-3 encoding using quadratic characters
Fact from number theory:
N bit - sequence b  {0,1}N
prime q(  2O ( N ) ) d  0 such that b   q (d )  q (d  1)  q (d  N  1)
• Let N=2n, b = length-N truth-table of f, F=GF(q)
• Define p(x1,…,xn, r) =  d   2i 1 xi   r 2
n

•one polynomial
•huge field size
i 1

3. Perfect Degree-3 Encoding from Branching Programs
BP=(G, s , t, edge-labeling)
x2
x1
s
x1
x2
x2
x2
1
1
1
x3
x3
x3
x3
x4
x5
x4
x4
Gx=subgraph induced by x
t
1
1
x3
x4
x2
x1
s
x2
mod-q NBP: f(x) = # s-t paths in Gx (mod q)
• size = # of vertices
• circuit-size  BP-size  formula-size
• Boolean case: q=2.
• Captures complexity class L/poly
x3
x4
1
t
Perfect Degree-3 Encoding of BPs
BP=(G, s, t, edge-labeling)
x2
x1
x1
x2
x2
x2
1
1
1
x3
x3
x3
x3
x4
x5
x4
x4
Gx=subgraph induced by x
t
x2
x1
1
1
x3
x4
x3
x2
1
t
x4
s
s
Encoding based on Lemma: g(x,r1,r2)= R1(r1)L(x)R2(r2)
mod-q BP: f(x) = # st paths in Gx mod q.
1
0
0
0
$
1
0
0
$
$
1
0
$
* * *
$
-1
* *
size(BP)
$
0 -1 *
1
0 0 -1
Lemma:  degree-1 mapping L : x 
* * *
-1 * *
0 -1 *
0 0 -1
Correctness: f(x)=det g(x,r1,r2)
Privacy:
1
0
0
0
*
1
0
0
*
*
1
0
*
*
*
1
g(x,r1,r2) 
* * *
-1 * *
0 -1 *
0 0 -1
*
*
*
*
1
0
0
0
0
1
0
0
0
0
1
0
1
0
0
0
$ 1$ *1$ *$
1 0$ 10$ *1
0 01 0$ 10
0 00 01 0
*
*
*
*
*
*
*
*
=
*$
*$
*1
10
$
$
$
1
-1
0* 0* 0*
-1 0* 0*
0 -1 0*
0 0 -1
*
0
0
0
0* *0 *0
-1 *0 *0
0 -1 *0
0 0 -1
*
*0
*0
0
*
0
1
0
0
0
0
1
0
$
$
$
1
s.t. det(L(x))= f(x).
det L(x) (=
f(x))
*
*
*
1
1
0
0
0
11
00
00
00
00
11
00
00
001 $*0
000 $*1
110 $*0
000 110
0
0
1
0
-1
$
$
$
1
Proof of Lemma
Lemma:  degree-1 mapping L : x 
* * *
-1 * *
0 -1 *
0 0 -1
*
*
*
*
s.t. det(L(x))= f(x).
Proof:
A(x)= adjacancy matrix of Gx (over F=GF(q))
A* = I+A+A2+… = (I-A)-1
A*s,t = (-1)s+t  det (I-A)|t,s / det (I-A)
= det (A-I)|t,s
L(x)= (A(x)-I)|t,s
s
s
L=
A=
t
0 *
-1
0 -1
0
0 0
0 0
0 0
t
* * *
* * *
0-1 * *
0 0-1 *
0 0 -1
0
Thm. size-s BP  degree 3 encoding of size O(s2)
• perfect encoding for mod-q BP (capturing L/poly for q=2)
• imperfect for nondeterministic BP (capturing NL/poly)
The secure evaluation of an arbitrary function can be reduced
to the secure evaluation of degree-3 polynomials.
Round complexity of information-theoretic MPC in semihonest model:
•How many rounds for maximal privacy?
3 rounds suffice
•How much privacy in 2 rounds?
t<n/3 suffices
• perfect privacy + correctness
• complexity O(BP-size2)
Is 3 minimal?
Thm. [IK00]
A boolean function f admits a perfectly private degree-2 encoding over F
if and only if either:
•f or its negation test for a linear condition Ax=b over F;
•f admits standard representation by a degree-2 polynomial over F.
Wrapping Up
Composition Lemma:
f
g encodes f
h encodes g
h’ encodes f
Concatenation Lemma:
…
g(1) encodes f(1)
… g(l) encodes f(l)
g encodes f
…
From Branching Programs to Locality 4
poly-size BPs
x1
s
x1
x2
…
g(1)
x2
x2
x5
…
x1
…
…
…
x1
…
g(2)
x2
x2
x2
x3 x4
x3
x4
x3
x4
x3
t
1
x5
x2
f (l)
x1
s
BP encoding
…
…
…
(2)
s
…
h(1)
f
x2
1
1
1
…
…
…
x1
x2
x2
x2
…
…
1
1
x3 x4
x3
x4
x3
x4
x3
t
x5
…
composition
g(l) …
degree 3
…
…
locality reduction
h(2)
…
…
…
…
(1)
x3 x4
x3
x4
x3
x4
x3
t
…
…
h(l)
…
…
…
…
NC04
concatenation
h
…
…
…
…
…
…
…
…
f
x2
1
1
…
1
…
locality 4
…
…
NC04
Computationally Private Encodings
• Known: f  NC1, L
• Goal: f  P
 encoding in NC0
 encoding in NC0
• Idea: relax encoding requirement
x
r
comp
g

Enc(y)
• Respects security of most primitives
• Thm: f  P  computational encoding in NC04
assuming “easy PRG” (min-PRG  L)
 “Easy PRG” can be based on factoring, discrete-log, lattices
Tool: Yao’s Garbled Circuit [Yao86]
0110101101010011
1111010100101111
1101010100111010
1001011001010110
0110111010010011
1111100101101110
0101100111011011
0001101010110111
1110101010100110
0111010100101111
0101010011111011
1001001010110111
x1
x2
x3
x4
01101101010011001
10111010100100111
01010100110111011
10010101010010111
K1,0 K2,0
K3,0 K4,0
K1,1 K2,1
K3,1 K4,1
Gives rise to a randomized encoding:
g(x,(ki,b,r))= (ki,xi)i=1..n , garbled circuit
Garbled Circuit Construction
1-key
0-key
1-key
0-key
•
•
•
•
1-key
0-key
Pair of randomly colored keys for each wire
For each input wire, key corresponding to its value is revealed
Color semantics of output wires are revealed
Garbled gates:
Garbled Circuit Construction
Implementing locks
1-key
0-key
- (one-time) symmetric encryption
1-key
1-key
 computational
privacy,
works
for
any
circuit
0-key
0-key
- one-time pads
•
•
•
•
Pair of randomly colored keys for each wire

information-theoretic privacy, efficient only for
For each input wire, key corresponding to its value is revealed
log-depth
Color
semanticscircuits
of output wires are revealed
Garbled gates:
Thm. “easy PRG”  encoding in NC0 for all fP
one-time
gNC0[ symmetric
encryption
fP
Yao garbled
circuit
]
one-time
symmetric
encryption
gL
easy PRG
gNC0[min-PRG]
NC0[min-PRG]
hNC04
[AIK04]
App 1: Relaxed Assumptions for Crypto in NC0
• Using perfect
comp. encoding:
OWF
OWP
Assuming “easy PRG”
PRG
Hash
Sym-Enc
PK-Enc
Signature
Commit
NIZK
exist

L 
OWF
OWP
PRG
Hash
Sym-Enc
Sym-Enc
PK-Enc
PK-Enc
Signature
Signature
Commit
Commit
NIZK
NIZK
 NC0
App 2: Parallel Reductions Between Primitives
Proof:
givenAll
code
of min-PRG
• Thm.
What
about
reductions?
are NC
equivalent
under poly-time reductions
Micali
Yaoknown….
82, Levin
85, Goldreich
Krawczyk Luby 88, Håstad
• Blum
Much
is
• Construct
f less
 82,
P[min-PRG]
via known
reduction
•
Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali
84,code
Goldwasser
Rivest 84,
Bellare
Micali 88, Naor Yung 89, Rompel 90,
Use
of f toMicali
construct
g
NC0[min-PRG]
Naor 89, Impagliazzo Luby 89, …
• New
NR
Note: non-black-box reduction!
NC1
Synthesizer
HILL
Viola
AIK
Sym-Enc
NC0
NC0
NC0
“Regular”
OWF OWF
PRF
NC0
min-PRG
Signature
PRG
NC0 NC0
Commit
App 3: Secure Multiparty Computation
In case you don’t insist on unconditional security…
• Securely evaluating an arbitrary function f efficiently reduces to
securely evaluating deg-3 polynomials
… assuming an “easy PRG”
• In particular:
Basic MPC protocols (e.g., BGW) imply constant-round
computationally secure MPC for every f.
Known assuming any PRG [BMR90,DI05]; however, current
approach is simpler and can be made more efficient [DI06].
Crypto in NC0 and Inapproximability
k-Constraint Satisfaction Problem
– X1 +X3  X5 =0
– X2 X3  X4 =1
.
.
.
- X2 +X3 + X4 =1
• List of constraints over n variables x1,…,xn
• Each constraint involves k variables
• Q. how many of the constraints can be satisfied together?
Corollary of PCP [ALMSS,AS92, Din06]
If: PNP
Then: k-CSP cannot be
approximated better than
some multiplicative constant
AIK06
If: Lin-Stretch PRG in NC0.
Then: k-CSP cannot be
approximated better than
some multiplicative constant
G1(x)
Gm(x)
locality = k
G
x1
xn
Suppose we have a .99-approximation alg. A for k-CSP.
We break G as follows.
Given y=(y1,…,ym):
- Run A on k-CSP instance “Gi(x)=yi”, i=1,…,m.
- Output “pseudorandom” iff output  .99m
On Linear-Stretch PRGs in NC0
• Can be constructed based on a previous assumption of
Alekhnovich related to the hardness of decoding certain
error-correcting codes [AIK06].
 elementary proof of hardness of approximation!
• However: Stronger hardness of approximation results
based on same assumption already proved in
[Alekhnovich 03] (following [Feige 02]).
• Hope:
Construct Linear-Stretch PRG based on more standard
assumptions.
Strengthen hardness of approximation results.
Summary
• Different flavors of randomized encoding
– Motivated by different applications
• Secure computation
• Parallel cryptography
• Hardness of approximation?
• “Simplest” encodings: outputs of form xirjrk+rh
– Efficient perfect/statistical encodings for various
complexity classes (NC1, NL/poly, modqL/poly)
• Algebraic approach
• Combinatorial approach: information-theoretic garbled circuit
– Efficient computationally private encodings for all P,
assuming “Easy PRG”.
Open Questions
Randomized
encoding
poly-size NC0
encoding for
every fP?
locality 3 for
every f?
better
encodings?
MPC
Unconditionally
secure constantround protocols for
every fP?
maximal privacy with
minimal interaction?
better
constant-round
protocols?
Parallel crypto
OWF 
OWF in NC0?
OWF in NC1
OWF in NC03?
practical
hardware?