Randomization Techniquesfor Multiparty Computation

Enc(y)

The Basic Question

• g is a “randomized encoding” of f– Nontrivial relaxation of computing f

• Hope: g can be “simpler” than f – Meaning of “simpler” determined by application

x yf

Enc(y)x gr

decodersimulator

Dec(g(x,r)) = f(x)

Sim(f(x)) g(x,r)

Variants: perfect, stat., comp.

“pure IT”

Randomized Encoding - Syntax

g

r

inputs random inputs

f

x

inputs

x

f(x) is encoded by g(x,r)

f(x) = f(w)

Randomized Encoding - Semantics

• Correctness: f(x) can be efficiently decoded from g(x,r).

• Privacy: efficient simulator S s.t. S(f(x)) ≡ g(x,U)

– g(x,U) depends only on f(x)

f(x) ≠ f(w)

rw

g(w,U)

g(x,U)

r

x

≡

rw

g(w,U)

g(x,U)

r

x

Notions of Simplicity - I

• 2-decomposability: g((xA,xB),r)=(gA(xA,r),gB(xB,r))– Application: two-party “private simultaneous messages”

protocols [Feige, Kilian, Naor 94, …]

r

xAxB

Alice Bob

Carol

f(xA,xB)

gA(xA,r) gB(xB,r)

Example: sum

• f(xA,xB) = xA+xB (xA,xB finite group G)

xAxB

Alice Bob

Carol

rRG

mA+mB

xA+r xB-r

Example: equality

• f(xA,xB) = equality (xA,xBfinite field F)

xAxB

Alice Bob

Carol

r1RF \ {0} , r2RF

mA=mB?

r1xA+r2 r1xB+r2

Example: ANY function

• f(xA,xB) = xA xB (xA,xB{0,1})

– Reduction to equality: xA 1/0, xB 2/0

• General boolean f: write as disjoint 2-DNF

– f(xA,xB) = (a,b):f(a,b)=1 (xA=a xB=b) = t1 t2 … tm

00000100000 1 00000000000 0

ts ts+1 ts-1.....t1 t2 tm..... Exponential

complexity

Notions of Simplicity - II

• Full decomposability: g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

– Application: 1-round SFE to OT reductions [Kilian 88, ...]

r

xA

xB

Alice

Bob

f(xA,xB)

gA(xA,r) OT OT OT OT OT

Dishonest Alice?

gn(0,r) gn(1,r)

xn gn(xn,r)

Example: iterated group product

• Abelian case– f(x1,…,xn)=x1+x2+…+xn – g(x, (r1,…,rn-1)) =

x1+r1 x2+r2 … xn-1+rn-1 xn-r1-…-rn-1

• General case [Kil88]– f(x1,…,xn)=x1x2

…xn – g(x, (r1,…,rn-1)) =

x1r1 r1-1x2r2 r2

-1x2r3 … rn-2-1xn-1rn-1 rn-1

-1xn

Example: iterated group product

f(x1,…,xn) reduces to 12 …m where:

• i S5

• Each i depends on a single xj

• distinct 0,1 S5 s.t. 12 …m = f(x)

Thm [Barrington 86] Every boolean fNC1 can be computed by a poly-length, width-5 branching program.

Encoding iterated group product 123 …m 1r1 r1

-12r2 r2-13r3 … rm-1

-1m

g

r1

f

x1 x2 xnx1 x2 xn r2 rm-1

… … …..

1r1r1

-12r2 rm-1-1m

• Every output bit of g depends on just a single bit of x Efficient fully decomposable encoding for every fNC1

Notions of Simplicity - III• Low degree: g(x,r) = vector of degree-d poly in x,r over F

– aka “Randomizing Polynomials” [I, Kushilevitz 00,…]

– Application: round-efficient MPC

• Motivating observation: Low-degree functions are easy to distribute!

– Round complexity of MPC protocols [BGW88,CCD88,CDM00,…]• Semi-honest model (passive adversary)

– t<n/d 2 rounds– t<n/2 multiplicative depth + 1 = log d+1 rounds

• Malicious model (active adversary)– Optimal t O(log d) rounds

– Randomized func. g reduces to a deterministic degree-d func. g’• g’((x1, r1), … ,(xn,rn)) = g((x1,…,xn),(r1+…+rn))• Security of reduction is “model independent”

Examples

• What’s wrong with previous examples?– Great degree in x (degx=1), bad in r

• Coming up:– Degree-3 encoding for every f– Efficient in size of branching program

g

r1

f

x1 x2 xnx1 x2 xn r2 rm-1

… … …..

1r1r1

-12r2 rm-1-1m

RS5

Notions of Simplicity - IV

• Small locality:

– Application: parallel cryptography! [Applebaum, I, Kushilevitz 04,

…]

• Coming up: encodings with locality 4– degree 3, fully decomposable– efficient in size of branching program

x r

Parallel Cryptography

poly-time

NC

log-space

NC1

AC0

NC0

How low can we get?

Cryptography in NC0?

• Tempting conjecture:

crypto hardness “complex” function

• Longstanding open question

Håstad 87

Impagliazzo Naor 89

Goldreich 00

Cryan Miltersen 01

Krause Lucks 01

Mossel Shpilka Trevisan 03

• Real-life motivation: super-fast cryptographic hardware

[CM]: Yes

[G]: No

Main Primitives

f

….

….

….

f(Uin)

Uout

poly-time

f

OWF

Uin y = f(Uin)

poly-time

find xf -1(y)

PRG

Uin

Pseudorandom or Random?

AC0 AC0

Compile primitives in a “relatively high” complexity class (e.g., NC1, NL/poly, L/poly) into ones in NC0.

Surprising Positive Result

NC1 cryptography implied by factoring, discrete-log, lattices…

essentially settles open questionOWF

locality 4

NC02

NC03

NC0

NC1

NC02

NC03

NC0

NC1

PRG OWF

factoring, discrete-log, lattices, … subset-sum

impossible

NC02NC0

2

NC1NC1

TC0 TC0TC0 TC0

NC04

NC04low stretch open open

AC0

NC0

NC04

AC0

NC0

NC04

Encoding a OWF

Thm. f(x) is a OWF g(x,r) is a OWF

Proof: inverter B for g inverter A for f

g(x,r)=z f(x)=yx

A

Simulatory B (x,r)z

• A succeeds whenever B succeeds– Dec(z) = Dec(g(x,r)) = f(x)– Dec(z) = Dec(Sim(y)) = y

zR g(Un,Um)

prob p

yR f(Un)

prob p

• A generates a correct input distribution for B– Sim(f(Un)) = g(Un,Um)

g(x,r)=z

Dec(g(x,r)) = f(x)

Sim(f(x)) g(x,r)

• Want: f(x) is a PRG g(x,r) is a PRG• Problems:

– output of g may not be pseudorandom – g may shrink its input

• Solution: “perfect” randomized encoding– respects pseudorandomness, additive stretch, …– stretch of g is typically sublinear even if that of f is superlinear– most (not all) known constructions give perfectness for free

Encoding a PRG

Additional Cryptographic Primitives

• General compiler also applies to:– one-way / trapdoor permutations – collision-resistant hashing– public key / symmetric encryption – signatures / MACs – commitments – …

• Caveat: decryption / verification not in NC0… – … But: can commit in NC0 with decommit in NC0[AND] – Applications: coin-flipping, zero-knowledge, …

Non-cryptographic PRGs

• ε-biased generators [Mossel Shpilka Trevisan 03]: superlinear stretch in NC0

5

– Using randomized encoding: linear stretch in NC03

• optimal locality, stretch

• PRGs for space-bounded computation

Remaining Challenge

How to encode “complex” f by g NC0?

• Observation: enough to obtain const. degree encoding

• Locality Reduction:degree 3 poly over GF(2) locality 4 rand. encoding

f(x) = T1(x) + T2(x) + … + Tk(x)

g(x,r,s) = T1(x)+r1 T2(x)+r2 Tk(x)+rk…

–r1+s1 –s1 –r2 +s2 –sk-1–rk…

Coming up…

Manipulating Encodings

Composition Lemma:

f h encodes g

h’ encodes f

g encodes f

Concatenation Lemma:

g(1) encodes f(1) … g(l) encodes f(l) g encodes f

…

…

From Branching Programs to locality 4

…f (1) f (2)

s1x

2x

1 1 1

4x 5x

2x1x2x

2x

3x

3x

3x

3x4x

4x

t

s1x

2x

1 1 1

4x 5x

2x1x2x

2x

3x

3x

3x

3x4x

4x

tf (l)

poly-size BPs

…

……

…

…

…

……

…

…

…

……

…

…

… degree 3

coming up...

locality reduction

concatenation

s1x

2x

1 1 1

4x 5x

2x1x2x

2x

3x

3x

3x

3x4x

4x

t

… …

… …

… …

…

… …

…

… NC04

… …

… …

… …

… …

… …

… …

…

NC04

g(1) g(2) g(l)

h(1) h(2) h(l)

composition

h

locality 4

3 Ways to Degree 3

1. Degree-3 encoding using a circuit representation

f(x)=1

y1, y2 , y3

y1=NAND(x1 , x2)= x1(1-x2)+(1-x1)x2+(1-x1)(1-x2)

y2=NAND(x3 , x4)

y3=NAND(y1 , y2)

1 =NAND(y3 , x5)

Note: ! y1, y2 , y3

x1 x2 x3 x4

y1 y2

x5

y3

Using circuit representation (contd.)

q1(x,y)=0q2(x,y)=0 ...qk(x,y)=0

deg.-2

p(x, y,r)= ri qi(x,y)

f(x)=0 P(x) is uniform

f(x)=1 P(x) 0 given y=y0, otherwise it is uniform

Statistical distance amplified to 1/2 by 2(k) repetitions.

deg.-3

•works over any field

•complexity exponential in circuit size

•one polynomial

•huge field size

2. Degree-3 encoding using quadratic characters

Fact from number theory:

)1()1()( that such0)2( prime

}1,0{ sequence-bit)(

Ndddbdq

bN

qqqNO

N

• Let N=2n, b = length-N truth-table of f, F=GF(q)

• Define p(x1,…,xn, r) = 2

1

12 rxdn

ii

i

3. Perfect Degree-3 Encoding from Branching Programs

s

t

1x2x

1 1 1

4x 5x

2x1x2x

2x

3x

3x

3x

3x4x

4x

s

t

1x2x

1 1 1

4x

2x3x

3x

4x

BP=(G, s , t, edge-labeling) Gx=subgraph induced by x

mod-q NBP: f(x) = # s-t paths in Gx (mod q)

• size = # of vertices

• circuit-size BP-size formula-size

• Boolean case: q=2

1 * * * 0 1 * * 0 0 1 * 0 0 0 1

1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1

1 * * * 0 1 * * 0 0 1 * 0 0 0 1

1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1

Perfect Degree-3 Encoding of BPs

s

t

1x2x

1 1 1

4x 5x

2x1x2x

2x

3x

3x

3x

3x4x

4x

s

t

1x2x

1 1 1

4x

2x3x

3x

4x

BP=(G, s, t, edge-labeling) Gx=subgraph induced by x

mod-q BP: f(x) = # st paths in Gx mod q.

Lemma: degree-1 mapping L : x s.t. det(L(x))= f(x). * * * *-1 * * * 0 -1 * * 0 0 -1 *

size(BP) 1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1

* * * *-1 * * * 0 -1 * * 0 0 -1 *

1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1

Encoding based on Lemma: g(x,r1,r2)= R1(r1)L(x)R2(r2)

det L(x) (= f(x))

* * * *-1 * * 0 0 -1 * 0 0 0 -1 0

0 0 0 *-1 0 0 0 0 -1 0 0 0 0 -1 0

Correctness: f(x)=det g(x,r1,r2)

Privacy: * * * *-1 * * * 0 -1 * * 0 0 -1 *

0 0 0 *-1 0 0 0 0 -1 0 0 0 0 -1 0

1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1

* * * *-1 * * * 0 -1 * * 0 0 -1 *

1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1

1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1

-1 1 * * * 0 1 * * 0 0 1 * 0 0 0 1

-1

=

1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1

1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1

g(x,r1,r2)

-1 * * * * 0 -1 * * * 0 0 -1 * * 0 0 0 -1 * 0 0 0 0 -1

Proof of Lemma

A(x)= adjacancy matrix of Gx (over F=GF(q))

A* = I+A+A2+… = (I-A)-1

A*s,t =

0 * * * * 0 0 * * * 0 0 0 * * 0 0 0 0 * 0 0 0 0 0

= det (A-I)|t,s

L(x)= (A(x)-I)|t,s

Lemma: degree-1 mapping L : x s.t. det(L(x))= f(x). * * * *-1 * * * 0 -1 * * 0 0 -1 *

Proof:

(-1)s+t det (I-A)|t,s / det (I-A)

A=L=

s

t

ts

Thm. size-s BP degree 3 encoding of size O(s2)

• perfect encoding for mod-q BP (capturing L/poly for q=2)

large q: useful for (comp.-secure) two-party computation

• imperfect for nondeterministic BP (capturing NL/poly)

Q: How many rounds?

•How many rounds for maximal privacy?

•How much privacy in 2 rounds?

3 rounds suffice

t<k/3 suffices

• perfect privacy + correctness• complexity O(BP-size2)

The secure evaluation of an arbitrary functionality can be reduced to the secure evaluation of degree-3 polynomials.

Thm. [IK00]

A boolean function f admits a perfectly private degree-2 encoding over F

if and only if either:

•f or its negation test for a linear condition Ax=b over F;

•f admits standard representation by a degree-2 polynomial over F.

Is 3 minimal?

Computationally Private Encodings

• Known: f L encoding in NC0

• Goal: f P encoding in NC0

• Idea: relax encoding requirement

• Respects security of most primitives

• Thm: f P computational encoding in NC04

assuming “easy PRG” (min-PRG L)

x gr

Enc(y)comp

“Easy PRG” can be based on factoring, discrete-log, lattices

Proof OutlineThm. “easy PRG” encoding in NC0

for all fP

f P gNC0[ ] gNC0[min-PRG]

gL hNC04

Yao garbled circuit

easy PRG [AIK04]

one-time symmetric encryption

one-time symmetric encryption

NC0[min-PRG]

exist

perfect• Using encoding:comp.

App 1: Relaxed Assumptions for Crypto in NC0

OWFOWPPRGHash

Sym-EncPK-EncSignatureCommitNIZK

Sym-EncPK-EncSignatureCommitNIZK

Sym-EncPK-EncSignatureCommitNIZK

L NC0

Assuming “easy PRG”OWFOWPPRGHash

Sym-EncPK-EncSignatureCommitNIZK

Proof: given code of min-PRG

• Construct f P[min-PRG] via known reduction

• Use code of f to construct g NC0[min-PRG]

Note: non-black-box reduction!

Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, …

• What about NC reductions?• Much less is known….

• New

• Thm. All are equivalent under poly-time reductions

App 2: Parallel Reductions Between Primitives

OWF min-PRG PRG

Commit

Sym-Enc

Signature

Synthesizer

NC0

NC0

“Regular” OWF

NC1

NC0

NC0

NC0

PRFNC0

HILL Viola AIK

NR

Naor

In case you don’t insist on unconditional security…

• Secure computatoin of every func. f efficiently reduces to deg-3 poly

… assuming “easy PRG”

• In particular:

Protocols desribed by Ivan imply const. round computationally secure MPC for every f

(Known assuming any PRG [BMR90,DI05]; however, current approach is conceptually simpler.)

App 3: Secure Multiparty Computation

Summary

• Different flavors of randomized encoding– Motivated by different applications

• Round-efficient secure computation• Parallel cryptography

• “Simplest” encodings: outputs of form xirjrk+rh

– Efficient for various “intermediate complexity” classes (NC1, NL/poly, modqL/poly)

• Algebraic approach• “Combinatorial” approach: information-theoretic garbled circuit

– Computationally private encodings: efficient for all P (assuming “Easy PRG”)

Open Questions

Randomized encoding

Unconditionally secure MPC

Parallel crypto

poly-size NC0 encoding for every fP?

efficient constant-round protocol for

every fP?

OWF

OWF in NC0?

locality 3 for every f?

maximal privacy with minimal interaction?

OWF in NC1

OWF in NC03?

better encodings?

better const-round protocols?

practical hardware?