Embed Size (px)
DESCRIPTION
Randomization Techniques for Multiparty Computation. Yuval Ishai. Technion. Lesson. “ Unconditionally secure cryptography ” is useful! … even if you don’t care about unconditional security … even if you don’t care about cryptography Today: randomization techniques parallel crypto - PowerPoint PPT Presentation
Citation preview
Randomization Techniquesfor Multiparty Computation
Yuval Ishai
Technion
Lesson
• “Unconditionally secure cryptography” is useful!– … even if you don’t care about unconditional security – … even if you don’t care about cryptography
• Today: randomization techniques parallel crypto• Tomorrow: PIR locally decodable codes
You came to the right place!
Go home!*
*return ticket will NOT be paid by organizers
Interested in unconditional security
in cryptography?
Interested in cryptography?
Interested in Science?
Like traveling, good food, etc.?
no
no
no
no
yes
yes
yes
yes
Enc(y)
The Basic Question
• g is a “randomized encoding” of f– Nontrivial relaxation of computing f
• Hope: g can be “simpler” than f – Meaning of “simpler” determined by application
x yf
Enc(y)x gr
decodersimulator
Dec(g(x,r)) = f(x)
Sim(f(x)) g(x,r)
Variants: perfect, stat., comp.
“pure IT”
Randomized Encoding - Syntax
g
r
inputs random inputs
f
x
inputs
x
f(x) is encoded by g(x,r)
f(x) = f(w)
Randomized Encoding - Semantics
• Correctness: f(x) can be efficiently decoded from g(x,r).
• Privacy: efficient simulator S s.t. S(f(x)) ≡ g(x,U)
– g(x,U) depends only on f(x)
f(x) ≠ f(w)
rw
g(w,U)
g(x,U)
r
x
≡
rw
g(w,U)
g(x,U)
r
x
Notions of Simplicity - I
• 2-decomposability: g((xA,xB),r)=(gA(xA,r),gB(xB,r))– Application: two-party “private simultaneous messages”
protocols [Feige, Kilian, Naor 94, …]
r
xAxB
Alice Bob
Carol
f(xA,xB)
gA(xA,r) gB(xB,r)
Example: sum
• f(xA,xB) = xA+xB (xA,xB finite group G)
xAxB
Alice Bob
Carol
rRG
mA+mB
xA+r xB-r
Example: equality
• f(xA,xB) = equality (xA,xBfinite field F)
xAxB
Alice Bob
Carol
r1RF \ {0} , r2RF
mA=mB?
r1xA+r2 r1xB+r2
Example: ANY function
• f(xA,xB) = xA xB (xA,xB{0,1})– Reduction to equality: xA 1/0, xB 2/0
• General boolean f: write as disjoint 2-DNF– f(xA,xB) = (a,b):f(a,b)=1 (xA=a xB=b) = t1 t2 … tm
00000100000 1 00000000000 0
ts ts+1 ts-1.....t1 t2 tm..... Exponential complexity
Notions of Simplicity - II
• Full decomposability: g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))– Application: 1-round SFE to OT reductions [Kilian 88, ...]
r
xA
xB
Alice
Bob
f(xA,xB)
gA(xA,r) OT OT OT OT OT
Dishonest Alice?
gn(0,r) gn(1,r)
xn gn(xn,r)
Example: iterated group product
• Abelian case– f(x1,…,xn)=x1+x2+…+xn – g(x, (r1,…,rn-1)) =
x1+r1 x2+r2 … xn-1+rn-1 xn-r1-…-rn-1
• General case [Kil88]– f(x1,…,xn)=x1x2
…xn – g(x, (r1,…,rn-1)) =
x1r1 r1-1x2r2 r2
-1x2r3 … rn-2-1xn-1rn-1 rn-1
-1xn
Example: iterated group product
f(x1,…,xn) reduces to 12 …m where:• i S5
• Each i depends on a single xj
• distinct 0,1 S5 s.t. 12 …m = f(x)
Thm [Barrington 86] Every boolean fNC1 can be computed by a poly-length, width-5 branching program.
Encoding iterated group product 123 …m 1r1 r1
-12r2 r2-13r3 … rm-1
-1m
g
r1
f
x1 x2 xnx1 x2 xn r2 rm-1
… … …..
1r1 r1-12r2 rm-1
-1m
• Every output bit of g depends on just a single bit of x Efficient fully decomposable encoding for every fNC1
Notions of Simplicity - III• Low degree: g(x,r) = vector of degree-d poly in x,r over F
– aka “Randomizing Polynomials” [I, Kushilevitz 00,…]– Application: round-efficient MPC
• Motivating observation: Low-degree functions are easy to distribute!
– Round complexity of MPC protocols [BGW88,CCD88,CDM00,…]• Semi-honest model
– t<n/d 2 rounds– t<n/2 multiplicative depth + 1 = log d+1 rounds
• Malicious model– Optimal t O(log d) rounds
– Randomized func. g reduces to a deterministic degree-d func. g’• g’((x1, r1), … ,(xn,rn)) = g((x1,…,xn),(r1+…+rn))• Security of reduction is “model independent”
Examples
• What’s wrong with previous examples?– Great degree in x (degx=1), bad in r
• Coming up:– Degree-3 encoding for every f– Efficient in size of branching program
g
r1
f
x1 x2 xnx1 x2 xn r2 rm-1
… … …..
1r1 r1-12r2 rm-1
-1m
RS5
Notions of Simplicity - IV
• Small locality:
– Application: parallel cryptography! [Applebaum, I, Kushilevitz 04,
…]
• Coming up: encodings with locality 4– degree 3, fully decomposable– efficient in size of branching program
x r
Parallel Cryptography
poly-time
NC
log-space
NC1
AC0
NC0
How low can we get?
Cryptography in NC0?
• Tempting conjecture:
crypto hardness “complex” function
• Longstanding open question
Håstad 87Impagliazzo Naor 89Goldreich 00Cryan Miltersen 01Krause Lucks 01Mossel Shpilka Trevisan 03
• Real-life motivation: super-fast cryptographic hardware
[CM]: Yes
[G]: No
Main Primitives
f
….
….
….
f(Uin)
Uout
poly-time
f
OWF
Uin y = f(Uin)
poly-time
find xf -1(y)
PRGUin
Pseudorandom or Random?
AC0 AC0
Compile primitives in a “relatively high” complexity class (e.g., NC1, NL/poly, L/poly) into ones in NC0.
Surprising Positive Result [AIK04]
NC1 cryptography implied by factoring, discrete-log, lattices…
essentially settles open questionOWF
locality 4
NC02
NC03
NC0
NC1
NC02
NC03
NC0
NC1
PRG OWF
factoring, discrete-log, lattices, … subset-sum
impossible
NC02NC0
2
NC1NC1
TC0 TC0TC0 TC0
NC04 NC0
4low stretch open open
AC0
NC0
NC04
AC0
NC0
NC04
Encoding a OWF
Thm. f(x) is a OWF g(x,r) is a OWF
Proof: inverter B for g inverter A for f
g(x,r)=z f(x)=yx
A
Simulatory B (x,r)z
• A succeeds whenever B succeeds– Dec(z) = Dec(g(x,r)) = f(x)– Dec(z) = Dec(Sim(y)) = y
zR g(Un,Um)
prob p
yR f(Un)
prob p
• A generates a correct input distribution for B– Sim(f(Un)) = g(Un,Um)
g(x,r)=z
Dec(g(x,r)) = f(x)Sim(f(x)) g(x,r)
• Want: f(x) is a PRG g(x,r) is a PRG• Problems:
– output of g may not be pseudorandom – g may shrink its input
• Solution: “perfect” randomized encoding– respects pseudorandomness, additive stretch, …– stretch of g is typically sublinear even if that of f is superlinear– most (not all) known constructions give perfectness for free
Encoding a PRG
Additional Cryptographic Primitives
• General compiler also applies to:– one-way / trapdoor permutations – collision-resistant hashing– public key / symmetric encryption – signatures / MACs – commitments – …
• Caveat: decryption / verification not in NC0… – … But: can commit in NC0 with decommit in NC0[AND] – Applications: coin-flipping, zero-knowledge, …
Non-cryptographic PRGs
• ε-biased generators [Mossel Shpilka Trevisan 03]: superlinear stretch in NC0
5
– Current work: linear stretch in NC03
• optimal locality, stretch
• PRGs for space-bounded computation
Remaining Challenge
How to encode “complex” f by g NC0?
• Observation: enough to obtain const. degree encoding
• Locality Reduction:degree 3 poly over GF(2) locality 4 rand. encoding
f(x) = T1(x) + T2(x) + … + Tk(x)
g(x,r,s) = T1(x)+r1 T2(x)+r2 Tk(x)+rk…
–r1+s1 –s1 –r2 +s2 –sk-1–rk…
Coming up…
Manipulating EncodingsComposition Lemma:
f h encodes g
h’ encodes f
g encodes f
Concatenation Lemma:
g(1) encodes f(1) … g(l) encodes f(l) g encodes f
…
…
From Branching Programs to locality 4
…f (1) f (2)
s1x
2x
1 1 1
4x 5x
2x1x2x
2x
3x
3x
3x
3x4x
4x
t
s1x
2x
1 1 1
4x 5x
2x1x2x
2x
3x
3x
3x
3x4x
4x
tf (l)
poly-size BPs
…
……
…
…
…
……
…
…
…
……
…
…
… degree 3
coming up...
locality reduction
concatenation
s1x
2x
1 1 1
4x 5x
2x1x2x
2x
3x
3x
3x
3x4x
4x
t
… …
… …
… …
…
… …
…
… NC04
… …
… …
… …
… …
… …
… …
…
NC04
g(1) g(2) g(l)
h(1) h(2) h(l)
composition
h
locality 4
3 Ways to Degree 3
1. Degree-3 encoding using a circuit representation
f(x)=1
y1, y2 , y3
y1=NAND(x1 , x2)= x1(1-x2)+(1-x1)x2+(1-x1)(1-x2)y2=NAND(x3 , x4)y3=NAND(y1 , y2)1 =NAND(y3 , x5)
Note: ! y1, y2 , y3
x1 x2 x3 x4
y1 y2
x5
y3
Using circuit representation (contd.)
q1(x,y)=0q2(x,y)=0 ...qk(x,y)=0
deg.-2
p(x, y,r)= ri qi(x,y)
f(x)=0 P(x) is uniform
f(x)=1 P(x) 0 given y=y0, otherwise it is uniform
Statistical distance amplified to 1/2 by 2(k) repetitions.
deg.-3
•works over any field
•complexity exponential in circuit size
•one polynomial
•huge field size
2. Degree-3 encoding using quadratic characters
Fact from number theory:
)1()1()( that such0)2( prime
}1,0{ sequence-bit)(
Ndddbdq
bN
qqqNO
N
• Let N=2n, b = length-N truth-table of f, F=GF(q)
• Define p(x1,…,xn, r) = 2
1
12 rxdn
ii
i
3. Perfect Degree-3 Encoding from Branching Programs
s
t
1x2x
1 1 1
4x 5x
2x1x2x
2x
3x
3x
3x
3x4x
4x
s
t
1x2x
1 1 1
4x
2x3x
3x
4x
BP=(G, s , t, edge-labeling) Gx=subgraph induced by x
mod-q NBP: f(x) = # s-t paths in Gx (mod q)
• size = # of vertices
• circuit-size BP-size formula-size
• Boolean case: q=2
1 * * * 0 1 * * 0 0 1 * 0 0 0 1
1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1
1 * * * 0 1 * * 0 0 1 * 0 0 0 1
1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1
Perfect Degree-3 Encoding of BPs
s
t
1x2x
1 1 1
4x 5x
2x1x2x
2x
3x
3x
3x
3x4x
4x
s
t
1x2x
1 1 1
4x
2x3x
3x
4x
BP=(G, s, t, edge-labeling) Gx=subgraph induced by x
mod-q BP: f(x) = # st paths in Gx mod q.
Lemma: degree-1 mapping L : x s.t. det(L(x))= f(x). * * * *-1 * * * 0 -1 * * 0 0 -1 *
size(BP) 1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1
* * * *-1 * * * 0 -1 * * 0 0 -1 *
1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1
Encoding based on Lemma: g(x,r1,r2)= R1(r1)L(x)R2(r2)
det L(x) (= f(x))
* * * *-1 * * 0 0 -1 * 0 0 0 -1 0
0 0 0 *-1 0 0 0 0 -1 0 0 0 0 -1 0
Correctness: f(x)=det g(x,r1,r2)
Privacy: * * * *-1 * * * 0 -1 * * 0 0 -1 *
0 0 0 *-1 0 0 0 0 -1 0 0 0 0 -1 0
1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1
* * * *-1 * * * 0 -1 * * 0 0 -1 *
1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1
1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1
-1 1 * * * 0 1 * * 0 0 1 * 0 0 0 1
-1
= 1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1
1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1
g(x,r1,r2)
-1 * * * * 0 -1 * * * 0 0 -1 * * 0 0 0 -1 * 0 0 0 0 -1
Proof of Lemma
A(x)= adjacancy matrix of Gx (over F=GF(q))
A* = I+A+A2+… = (I-A)-1
A*s,t =
0 * * * * 0 0 * * * 0 0 0 * * 0 0 0 0 * 0 0 0 0 0
= det (A-I)|t,s
L(x)= (A(x)-I)|t,s
Lemma: degree-1 mapping L : x s.t. det(L(x))= f(x). * * * *-1 * * * 0 -1 * * 0 0 -1 *
Proof:
(-1)s+t det (I-A)|t,s / det (I-A)
A=L=
s
t
ts
Thm. size-s BP degree 3 encoding of size O(s2)
• perfect encoding for mod-q BP (capturing L/poly for q=2)
large q: useful for (comp.-secure) two-party computation
• imperfect for nondeterministic BP (capturing NL/poly)
Q: How many rounds?•How many rounds for maximal privacy?
•How much privacy in 2 rounds?
3 rounds suffice
t<k/3 suffices
• perfect privacy + correctness• complexity O(BP-size2)
The secure evaluation of an arbitrary functionality can be reduced to the secure evaluation of degree-3 polynomials.
Thm. [IK00]A boolean function f admits a perfectly private degree-2 encoding over F if and only if either:
•f or its negation test for a linear condition Ax=b over F;•f admits standard representation by a degree-2 polynomial over F.
Is 3 minimal?
Computationally Private Encodings [AIK05]
• Known: f L encoding in NC0
• Goal: f P encoding in NC0
• Idea: relax encoding requirement
• Respects security of most primitives
• Thm: f P computational encoding in NC04
assuming “easy PRG” (min-PRG L)
x gr
Enc(y)comp
“Easy PRG” can be based on factoring, discrete-log, lattices
Proof OutlineThm. “easy PRG” encoding in NC0
for all fP
f P gNC0[ ] gNC0[min-PRG]
gL hNC04
Yao garbled circuit
easy PRG [AIK04]
one-time symmetric encryption
one-time symmetric encryption
NC0[min-PRG]
exist
perfect• Using encoding:comp.
App 1: Relaxed Assumptions for Crypto in NC0
OWFOWPPRGHash
Sym-EncPK-EncSignatureCommitNIZK
Sym-EncPK-EncSignatureCommitNIZK
Sym-EncPK-EncSignatureCommitNIZK
L NC0
Assuming “easy PRG”OWFOWPPRGHash
Sym-EncPK-EncSignatureCommitNIZK
Proof: given code of min-PRG• Construct f P[min-PRG] via known reduction
• Use code of f to construct g NC0[min-PRG]
Note: non-black-box reduction!
Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, …
• What about NC reductions?• Much less is known…. • New
• Thm. All are equivalent under poly-time reductions
App 2: Parallel Reductions Between Primitives
OWF min-PRG PRG
Commit
Sym-Enc
Signature
Synthesizer
NC0
NC0
“Regular” OWF
NC1
NC0
NC0
NC0
PRFNC0
HILL Viola AIK
NR
Naor
In case you don’t insist on unconditional security…• Secure computatoin of every func. f efficiently reduces to deg-3 poly
… asuming “easy PRG”
• In particular:
Protocols desribed by Ivan imply const. round computationally secure MPC for every f
(Known assuming any PRG [BMR90,DI05]; however, current approach is conceptually simpler.)
App 3: Secure Multiparty Computation
Summary
• Different flavors of randomized encoding– Motivated by different applications
• Round-efficient secure computation• Parallel cryptography
• “Simplest” encodings: outputs of form xirjrk+rh– Efficient for various “intermediate complexity” classes
(NC1, NL/poly, modqL/poly)• Algebraic approach• “Combinatorial” approach: information-theoretic garbled circuit
– Computationally private encodings: efficient for all P (assuming “Easy PRG”)
Open Questions
Randomized encoding
Unconditionally secure MPC
Parallel crypto
poly-size NC0 encoding for every fP?
efficient constant-round protocol for
every fP?
OWF
OWF in NC0?
locality 3 for every f?
maximal privacy with minimal interaction?
OWF in NC1
OWF in NC03?
better encodings?
better const-round protocols?
practical hardware?
