Randomization Techniques and Parallel Cryptography

Randomization Techniquesand Parallel Cryptography Yuval Ishai Technion

decoder g x r simulator The Basic Question Dec(g(x,r)) = f(x) f x y Sim(f(x))  g(x,r) • g is a “randomized encoding” of f • Nontrivial relaxation of computing f • Hope: • g can be “simpler” than f (meaning of “simpler” determined by application) • g can be used as a substitute for f Enc(y) Enc(y) Variants:perfect, statistical, computational

Hardness of approximation Applications at a Glance Randomized encodings Secure computation Parallel cryptography

Rest of Tutorial • Constructions of randomized encodings • Different notions of simplicity • Different flavors of encoding • Information-theoretic • Computational • Applications • Secure computation • Parallel cryptography

Randomized Encoding - Syntax z y g f r x x random inputs inputs inputs f(x) is encoded by g(x,r)

Randomized Encoding - Semantics • Correctness: f(x) can be efficiently decoded from g(x,r). f(x)≠ f(w)  g(x,U) x r w g(w,U) r • Privacy:  efficient simulator Sim such that Sim(f(x))≡ g(x,U) • g(x,U) depends only on f(x) f(x)= f(w)  g(x,U) x r w g(w,U) ≡ r

xB xA Alice Bob Carol f(xA,xB) Notions of Simplicity - I • Application: “minimal model for secure computation” [Feige-Kilian-Naor 94, …] • 2-decomposability:g((xA,xB),r)=(gA(xA,r),gB(xB,r)) r gA(xA,r) gB(xB,r)

rRG xA+r xB-r mA+mB Example: sum • f(xA,xB) = xA+xB(xA,xB finite group G) xB xA Alice Bob Carol

r1RF \ {0} , r2RF r1xA+r2 r1xB+r2 mA=mB ? Example: equality • f(xA,xB) = equality (xA,xBfinite field F) xB xA Alice Bob Carol

..... ..... ts t1 ts+1 t2 ts-1 tm Example: ANY function • f(xA,xB) = xA xB (xA,xB{0,1}) • Reduction to equality: xA  1/0, xB 2/0 • General boolean f: write as disjoint 2-DNF • f(xA,xB) = (a,b):f(a,b)=1 (xA=a  xB=b) = t1 t2 … tm Exponential complexity 00000000000  0 00000100000  1

xA Alice gn(0,r) gn(1,r) gA(xA,r) OT OT OT OT OT xn xB f(xA,xB) Bob Notions of Simplicity - II • Full decomposability:g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r)) • Application: Basing SFE on OT [Kilian 88, ...] Dishonest Alice? r gn(xn,r)

Example: iterated group product • Abelian case • f(x1,…,xn)=x1+x2+…+xn • g(x, (r1,…,rn-1)) = x1+r1 x2+r2 … xn-1+rn-1 xn-r1-…-rn-1 • General case[Kilian 88] • f(x1,…,xn)=x1x2 …xn • g(x, (r1,…,rn-1)) = x1r1r1-1x2r2r2-1x2r3 … rn-2-1xn-1rn-1rn-1-1xn

Thm[Barrington 86]Every boolean fNC1 can be computed by a poly-length, width-5 branching program. r1-12r2 1r1 rm-1-1m • f(x1,…,xn) reduces to 12 …m where: • i  S5 • Each i depends on a singlexj •  distinct 0,1  S5s.t. 12 …m = f(x) f g … … ..… r1 r2 rm-1 x1 x1 x2 x2 xn xn Example: iterated group product Encoding iterated group product123 …m1r1r1-12r2r2-13r3…rm-1-1m • Every output bit of g depends on just a single bit of x • Efficient fully decomposable encoding for every fNC1

Notions of Simplicity - III • Low degree:g(x,r) = vector of degree-d poly in x,r over F • aka “Randomizing Polynomials” [I-Kushilevitz 00,…] • Application: round-efficient MPC • Motivating observation: Low-degree functions are easy to distribute! • Round complexity of MPC protocols [BGW88,CCD88,CDM00,…] • Semi-honest model • t<n/d  2 rounds • t<n/2  multiplicative depth + 1 =log d+1 rounds • Malicious model • Optimal t  O(log d) rounds

r1-12r2 1r1 rm-1-1m f g … … ..… r1 r2 rm-1 x1 x1 x2 x2 xn xn Examples • What’s wrong with previous examples? • Great degree in x (degx=1), bad degree in r • Coming up: • Degree-3 encoding for every f • Efficient in size of branching program RS5

x r Notions of Simplicity - IV • Small locality: • Application: parallel cryptography! [Applebaum, I, Kushilevitz 04,…] • Coming up: encodings with locality 4 • degree 3, fully decomposable • efficient in size of branching program

Parallel Cryptography How low can we get? poly-time NC log-space NC1 AC0 NC0

Tempting conjecture: [CM]: Yes crypto hardness “complex” function [G]: No Cryptography in NC0? • Longstanding open question Håstad 87 Impagliazzo Naor 89 Goldreich 00 Cryan Miltersen 01 Krause Lucks 01 Mossel Shpilka Trevisan 03 • Real-life motivation: super-fast cryptographic hardware

Main Primitives OWF find xf -1(y) f Uin y = f(Uin) poly-time PRG Pseudorandom or Random? f Uin f(Uin) …. …. Uout …. poly-time

factoring, discrete-log, lattices, … subset sum impossible Previous Work • Positive results • PRG in NC1, TC0from factoring, discrete-log, lattices… • PRF in TC0 from number theoretic assumptions[Naor Reingold 97] • Low-stretchPRG in AC0from subset sum[Impagliazzo Naor 89] • [Goldreich 00]conjectured OWF in NC0 • Negative results • No PRF in AC0[Linial Mansour Nisan 89] • No PRG, OWF in NC02[Goldreich 00, Cryan Miltersen01] • PRG in NC03, NC04 low stretch[CM01, Mossel Shpilka Trevisan03] NC1 NC1 NC1 NC1 TC0 TC0 TC0 TC0 AC0 AC0 AC0 AC0 NC0 NC0 open open NC04 NC04 low stretch NC03 NC03 NC02 NC02 NC02 NC02 PRG OWF

OWF open open Surprising Positive Result [AIK04] Compile primitives in a “relatively high” complexity class (e.g., NC1, NL/poly, L/poly) into ones in NC0. NC1 cryptography implied by factoring, discrete-log, lattices…  essentially settles open question locality 4 OWF NC1 NC1 NC1 NC1 factoring, discrete-log, lattices, … TC0 TC0 TC0 TC0 subset-sum AC0 AC0 AC0 AC0 impossible NC0 NC0 NC0 NC0 NC04 NC04 NC04 NC04 low stretch NC03 NC03 NC02 NC02 NC02 NC02 PRG OWF

Encoding a OWF y B z Simulator x (x,r) yRf(Un) zRg(Un,Um) A prob p prob p Dec(g(x,r)) = f(x) Sim(f(x))  g(x,r) Thm. f(x) is a OWF  g(x,r) is a OWF Proof: inverter B for g  inverter A for f g(x,r)=z g(x,r)=z f(x)=y • A succeeds whenever B succeeds • Dec(z) = Dec(g(x,r)) = f(x) • Dec(z) = Dec(Sim(y)) = y • A generates a correct input distribution for B • Sim(f(Un)) = g(Un,Um)

Encoding a PRG • Want: f(x) is a PRG  g(x,r) is a PRG • Problems: • output of g may not be pseudorandom • g may shrink its input • Solution: “perfect” randomized encoding • respects pseudorandomness, additive stretch, … • stretch of g is typically sublinear even if that of f is superlinear • most (not all) known constructions give perfectness for free

Additional Cryptographic Primitives • General compiler also applies to: • one-way / trapdoor permutations • collision-resistant hashing • public key / symmetric encryption • signatures / MACs • commitments • … • Caveat: decryption / verification not in NC0… • … But: can commit in NC0 with decommit in NC0[AND] • Applications: coin-flipping, zero-knowledge, …

Non-cryptographic PRGs • ε-biasedgenerators [Mossel Shpilka Trevisan 03]:superlinear stretch in NC05 • Using randomized encoding: linear stretch in NC03 • optimal locality, stretch • PRGs for space-bounded computation

… g(x,r,s) = T1(x)+r1 T2(x)+r2 Tk(x)+rk … –r1+s1 –s1 –r2+s2 –sk-1–rk Remaining Challenge Coming up… How to encode “complex” f by g  NC0? • Observation: enough to obtain const. degree encoding • Locality Reduction:degree 3 poly over GF(2)  locality 4rand. encoding f(x) = T1(x) + T2(x) + … + Tk(x)

y3 y1 y2 x5 x2 x3 x4 x1 y1,y2 ,y3 y1=NAND(x1 , x2)= x1(1-x2)+(1-x1)x2+(1-x1)(1-x2) y2=NAND(x3 , x4) y3=NAND(y1 ,y2) 1=NAND(y3 , x5) f(x)=1  Note:  !y1, y2 , y3 3 Ways to Degree 3 1. Degree-3 encoding using a circuit representation

g(x, y,r)= riqi(x,y) deg.-3 f(x)=0  g(x,y,r)is uniform f(x)=1  g(x,y,r) 0given y=y0, otherwise itis uniform • Statistical distance amplified to 1/2 by 2(s) repetitions. Using circuit representation (contd.) q1(x,y)=0 q2(x,y)=0 ... qs(x,y)=0 deg.-2 • works over any field • complexity exponential in circuit size

Fact from number theory: 2. Degree-3 encoding using quadratic characters • Let N=2n, b = length-N truth-table of f, F=GF(q) • Define p(x1,…,xn, r) = • one polynomial • huge field size

t s 3. Perfect Degree-3 Encoding from Branching Programs BP=(G, s , t, edge-labeling) Gx=subgraph induced by x t s mod-q NBP: f(x) = # s-t paths in Gx (mod q) • size = # of vertices • circuit-size  BP-size  formula-size • Boolean case: q=2. • Captures complexity class L/poly

BP=(G, s, t, edge-labeling) Gx=subgraph induced by x t t s s mod-q BP: f(x) = # st paths in Gx mod q. size(BP) * * * *-1 * * *0 -1 * *0 0 -1 * Lemma:degree-1 mapping L : x s.t. det(L(x))= f(x). detL(x) (= f(x)) Encoding based on Lemma:g(x,r1,r2)= R1(r1)L(x)R2(r2) 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 -1 -1 0 0 0 *-10 0 00 -10 0 0 0 -10 1 0 0*0 1 0* 0 0 1*0 0 0 1 1* * *0 1* *0 0 1*0 0 0 1 Perfect Degree-3 Encoding of BPs Correctness:f(x)=detg(x,r1,r2) 1 * * * 0 1 * * 0 0 1 * 0 0 0 1 1* * *0 1* *0 0 1*0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0*0 1 0* 0 0 1*0 0 0 1 1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1 0 0 0 *-10 0 00 -10 0 0 0 -10 * * * *-1 * * 00 -1 * 0 0 0 -10 = Privacy: 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 g(x,r1,r2) 

s t s t Proof of Lemma * * * *-1 * * * 0 -1 * * 0 0 -1 * Lemma:degree-1 mapping L : x s.t. det(L(x))= f(x). Proof: A(x)= adjacancy matrix of Gx (over F=GF(q)) A* = I+A+A2+… = (I-A)-1 (-1)s+t det (I-A)|t,s / det (I-A) A*s,t = = det (A-I)|t,s L(x)= (A(x)-I)|t,s 0 * * * * 0 0 * * * 0 0 0 * * 0 0 0 0 * 0 0 0 0 0 -1 * * * * 0 -1 * * * 0 0 -1 * * 0 0 0 -1 * 0 0 0 0 -1 L= A=

Thm. size-s BP  degree 3 encoding of size O(s2) • perfect encoding for mod-q BP (capturing L/poly for q=2) • imperfect for nondeterministic BP (capturing NL/poly)

The secure evaluation of an arbitrary function can be reduced to the secure evaluation of degree-3 polynomials. • Round complexity of information-theoretic MPC in semi-honest model: • How many rounds for maximal privacy? • How much privacy in 2 rounds? 3 rounds suffice t<n/3 suffices • perfect privacy + correctness • complexity O(BP-size2)

Thm . [IK00] A boolean function f admits a perfectly private degree-2 encoding over F if and only if either: • f or its negation test for a linear condition Ax=b over F; • f admits standard representation by a degree-2 polynomial over F. Is 3 minimal?

hencodes g h’encodes f Concatenation Lemma: … f g(1)encodes f(1) g(l)encodes f(l) g encodes f g encodes f … … Wrapping Up Composition Lemma:

… … … … … … … … … s s s … … … … … … t t t degree 3 … … NC04 … … … … … … … … … … … … … … … … … … … … … … NC04 … From Branching Programs to Locality 4 poly-size BPs f (1) f (2) f (l) … BP encoding composition g(1) g(l) g(2) locality reduction h(1) h(2) h(l) concatenation h locality 4

g x r  comp Enc(y) Computationally Private Encodings • Known: f  NC1, L encoding inNC0 • Goal:fP  encoding in NC0 • Idea: relax encoding requirement • Respects security of most primitives • Thm:fP  computational encoding in NC04 assuming “easy PRG” (min-PRG  L) • “Easy PRG” can be based on factoring, discrete-log, lattices

0110111010010011 01101101010011001 1110101010100110 0110101101010011 10111010100100111 0111010100101111 1111010100101111 1111100101101110 1101010100111010 01010100110111011 0101100111011011 0101010011111011 1001001010110111 0001101010110111 10010101010010111 1001011001010110 x2 x3 x4 x1 K1,0 K2,0 K3,0 K4,0 K1,1 K2,1 K3,1 K4,1 Tool: Yao’s Garbled Circuit [Yao86] Gives rise to a randomized encoding: g(x,(ki,b,r))= (ki,xi)i=1..n , garbled circuit

Garbled Circuit Construction 1-key 0-key • Pair of randomly colored keys for each wire • For each input wire, key corresponding to its value is revealed • Color semantics of output wires are revealed • Garbled gates: 1-key 1-key 0-key 0-key

Garbled Circuit Construction • Implementing locks • (one-time) symmetric encryption •  computational privacy, works for any circuit • one-time pads •  information-theoretic privacy, efficient only for log-depth circuits 1-key 0-key • Pair of randomly colored keys for each wire • For each input wire, key corresponding to its value is revealed • Color semantics of output wires are revealed • Garbled gates: 1-key 1-key 0-key 0-key

one-time symmetric encryption NC0[min-PRG] Thm. “easy PRG” encoding in NC0 for allfP f  P gNC0[ ] one-time symmetric encryption gNC0[min-PRG] Yao garbled circuit gL hNC04 easy PRG [AIK04]

App 1: Relaxed Assumptions for Crypto in NC0 • Using encoding: comp. perfect OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK Assuming “easy PRG” Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK  NC0   L exist

NC0 NC0 App 2: Parallel Reductions Between Primitives • Proof: given code of min-PRG • Construct f  P[min-PRG] via known reduction • Use code of f to construct g  NC0[min-PRG] • Note: non-black-box reduction! • What about NC reductions? • Much less is known…. • New Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, … • Thm. All are equivalent under poly-time reductions NR NC1 Sym-Enc PRF Synthesizer HILL Viola AIK NC0 NC0 “Regular” OWF Signature min-PRG PRG OWF Naor NC0 NC0 Commit

App 3: Secure Multiparty Computation • In case you don’t insist on unconditional security… • Securely evaluating an arbitrary function f efficiently reduces to securely evaluating deg-3 polynomials • … assuming an “easy PRG” • In particular: • Basic MPC protocols (e.g., BGW) imply constant-round computationally secure MPC for everyf. • Known assuming any PRG [BMR90,DI05]; however, current approach is simpler and can be made more efficient [DI06].

Crypto in NC0 and Inapproximability k-Constraint Satisfaction Problem • X1+X3 X5 =0 • X2X3 X4 =1 . . . • X2+X3 +X4 =1 • Q. how many of the constraints can be satisfied together? • List of constraints over n variables x1,…,xn • Each constraint involves k variables AIK06 If:Lin-Stretch PRG in NC0. Then: k-CSP cannot be approximated better than some multiplicative constant Corollary of PCP [ALMSS,AS92, Din06] If:PNP Then: k-CSP cannot be approximated better than some multiplicative constant

G1(x) Gm(x) locality = k G x1 xn • Suppose we have a .99-approximation alg. A for k-CSP. • We break G as follows. • Given y=(y1,…,ym): • Run A on k-CSP instance “Gi(x)=yi”, i=1,…,m. • Output “pseudorandom” iff output  .99m

On Linear-Stretch PRGs in NC0 • Can be constructed based on a previous assumption of Alekhnovich related to the hardness of decoding certain error-correcting codes [AIK06]. • elementary proof of hardness of approximation! • However: Stronger hardness of approximation results based on same assumption already proved in [Alekhnovich 03] (following [Feige 02]). • Hope: • Construct Linear-Stretch PRG based on more standard assumptions. • Strengthen hardness of approximation results.

Summary • Different flavors of randomized encoding • Motivated by different applications • Secure computation • Parallel cryptography • Hardness of approximation? • “Simplest” encodings: outputs of form xirjrk+rh • Efficient perfect/statistical encodings for various complexity classes (NC1, NL/poly, modqL/poly) • Algebraic approach • Combinatorial approach: information-theoretic garbled circuit • Efficient computationally private encodings for all P, assuming “Easy PRG”.

poly-size NC0 encoding for every fP? • Unconditionally secure constant-round protocols for every fP? • OWF  • OWF in NC0? • OWF in NC1 • OWF in NC03? • locality 3 for every f? • maximal privacy with minimal interaction? • better constant-round protocols? • better encodings? • practical hardware? Open Questions Randomized encoding Parallel crypto MPC

Randomization Techniques and Parallel Cryptography