1 / 43

Randomization Techniques for Multiparty Computation

Randomization Techniques for Multiparty Computation. Yuval Ishai. Technion. Lesson. “ Unconditionally secure cryptography ” is useful! … even if you don’t care about unconditional security … even if you don’t care about cryptography Today: randomization techniques  parallel crypto

liliha
Télécharger la présentation

Randomization Techniques for Multiparty Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Randomization Techniquesfor Multiparty Computation Yuval Ishai Technion

  2. Lesson • “Unconditionally secure cryptography” is useful! • … even if you don’t care about unconditional security • … even if you don’t care about cryptography • Today: randomization techniques  parallel crypto • Tomorrow: PIR  locally decodable codes

  3. Interested in unconditional security in cryptography? yes no yes Interested in cryptography? no yes Interested in Science? no yes Like traveling, good food, etc.? no You came to the right place! Go home!* *return ticket will NOT be paid by organizers

  4. decoder g x r simulator The Basic Question Dec(g(x,r)) = f(x) f x y Sim(f(x))  g(x,r) • g is a “randomized encoding” of f • Nontrivial relaxation of computing f • Hope: g can be “simpler” than f • Meaning of “simpler” determined by application Enc(y) Enc(y) Variants:perfect, stat., comp. “pure IT”

  5. Randomized Encoding - Syntax g f r x x random inputs inputs inputs f(x) is encoded by g(x,r)

  6. Randomized Encoding - Semantics • Correctness: f(x) can be efficiently decoded from g(x,r). f(x)≠ f(w)  g(x,U) x r w g(w,U) r • Privacy:  efficient simulator S s.t. S(f(x))≡ g(x,U) • g(x,U) depends only on f(x) f(x)= f(w)  g(x,U) x r w g(w,U) ≡ r

  7. xB xA Alice Bob Carol f(xA,xB) Notions of Simplicity - I • 2-decomposability:g((xA,xB),r)=(gA(xA,r),gB(xB,r)) • Application: two-party “private simultaneous messages” protocols [Feige, Kilian, Naor 94, …] r gA(xA,r) gB(xB,r)

  8. rRG xA+r xB-r mA+mB Example: sum • f(xA,xB) = xA+xB (xA,xB finite group G) xB xA Alice Bob Carol

  9. r1RF \ {0} , r2RF r1xA+r2 r1xB+r2 mA=mB ? Example: equality • f(xA,xB) = equality (xA,xBfinite field F) xB xA Alice Bob Carol

  10. ..... ..... ts t1 ts+1 t2 ts-1 tm Example: ANY function • f(xA,xB) = xA xB (xA,xB{0,1}) • Reduction to equality: xA  1/0, xB 2/0 • General boolean f: write as disjoint 2-DNF • f(xA,xB) = (a,b):f(a,b)=1 (xA=a  xB=b) = t1 t2 … tm Exponential complexity 00000000000  0 00000100000  1

  11. xA Alice gn(0,r) gn(1,r) gA(xA,r) OT OT OT OT OT xn xB f(xA,xB) Bob Notions of Simplicity - II • Full decomposability:g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r)) • Application: 1-round SFE to OT reductions [Kilian 88, ...] Dishonest Alice? r gn(xn,r)

  12. Example: iterated group product • Abelian case • f(x1,…,xn)=x1+x2+…+xn • g(x, (r1,…,rn-1)) = x1+r1 x2+r2 … xn-1+rn-1 xn-r1-…-rn-1 • General case [Kil88] • f(x1,…,xn)=x1x2 …xn • g(x, (r1,…,rn-1)) = x1r1r1-1x2r2r2-1x2r3 … rn-2-1xn-1rn-1rn-1-1xn

  13. Thm[Barrington 86]Every boolean fNC1 can be computed by a poly-length, width-5 branching program. r1-12r2 1r1 rm-1-1m • f(x1,…,xn) reduces to 12 …m where: • i  S5 • Each i depends on a singlexj •  distinct 0,1  S5s.t. 12 …m = f(x) f g … … ..… r1 r2 rm-1 x1 x1 x2 x2 xn xn Example: iterated group product Encoding iterated group product123 …m1r1r1-12r2r2-13r3…rm-1-1m • Every output bit of g depends on just a single bit of x • Efficient fully decomposable encoding for every fNC1

  14. Notions of Simplicity - III • Low degree:g(x,r) = vector of degree-d poly in x,r over F • aka “Randomizing Polynomials” [I, Kushilevitz 00,…] • Application: round-efficient MPC • Motivating observation: Low-degree functions are easy to distribute! • Round complexity of MPC protocols [BGW88,CCD88,CDM00,…] • Semi-honest model • t<n/d  2 rounds • t<n/2  multiplicative depth + 1 =log d+1 rounds • Malicious model • Optimal t  O(log d) rounds • Randomized func. g reduces to a deterministic degree-d func. g’ • g’((x1, r1), … ,(xn,rn)) = g((x1,…,xn),(r1+…+rn)) • Security of reduction is “model independent”

  15. r1-12r2 1r1 rm-1-1m f g … … ..… r1 r2 rm-1 x1 x1 x2 x2 xn xn Examples • What’s wrong with previous examples? • Great degree in x (degx=1), bad in r • Coming up: • Degree-3 encoding for every f • Efficient in size of branching program RS5

  16. x r Notions of Simplicity - IV • Small locality: • Application: parallel cryptography! [Applebaum, I, Kushilevitz 04,…] • Coming up: encodings with locality 4 • degree 3, fully decomposable • efficient in size of branching program

  17. Parallel Cryptography How low can we get? poly-time NC log-space NC1 AC0 NC0

  18. Tempting conjecture: [CM]: Yes crypto hardness “complex” function [G]: No Cryptography in NC0? • Longstanding open question Håstad 87 Impagliazzo Naor 89 Goldreich 00 Cryan Miltersen 01 Krause Lucks 01 Mossel Shpilka Trevisan 03 • Real-life motivation: super-fast cryptographic hardware

  19. Main Primitives OWF find xf -1(y) f Uin y = f(Uin) poly-time PRG Pseudorandom or Random? f Uin f(Uin) …. …. Uout …. poly-time

  20. OWF open open Surprising Positive Result [AIK04] Compile primitives in a “relatively high” complexity class (e.g., NC1, NL/poly, L/poly) into ones in NC0. NC1 cryptography implied by factoring, discrete-log, lattices…  essentially settles open question locality 4 OWF NC1 NC1 NC1 NC1 factoring, discrete-log, lattices, … TC0 TC0 TC0 TC0 subset-sum AC0 AC0 AC0 AC0 impossible NC0 NC0 NC0 NC0 NC04 NC04 NC04 NC04 low stretch NC03 NC03 NC02 NC02 NC02 NC02 PRG OWF

  21. Encoding a OWF y B z Simulator x (x,r) yRf(Un) zRg(Un,Um) A prob p prob p Dec(g(x,r)) = f(x) Sim(f(x))  g(x,r) Thm. f(x) is a OWF  g(x,r) is a OWF Proof: inverter B for g  inverter A for f g(x,r)=z g(x,r)=z f(x)=y • A succeeds whenever B succeeds • Dec(z) = Dec(g(x,r)) = f(x) • Dec(z) = Dec(Sim(y)) = y • A generates a correct input distribution for B • Sim(f(Un)) = g(Un,Um)

  22. Encoding a PRG • Want: f(x) is a PRG  g(x,r) is a PRG • Problems: • output of g may not be pseudorandom • g may shrink its input • Solution: “perfect” randomized encoding • respects pseudorandomness, additive stretch, … • stretch of g is typically sublinear even if that of f is superlinear • most (not all) known constructions give perfectness for free

  23. Additional Cryptographic Primitives • General compiler also applies to: • one-way / trapdoor permutations • collision-resistant hashing • public key / symmetric encryption • signatures / MACs • commitments • … • Caveat: decryption / verification not in NC0… • … But: can commit in NC0 with decommit in NC0[AND] • Applications: coin-flipping, zero-knowledge, …

  24. Non-cryptographic PRGs • ε-biasedgenerators [Mossel Shpilka Trevisan 03]:superlinear stretch in NC05 • Current work: linear stretch in NC03 • optimal locality, stretch • PRGs for space-bounded computation

  25. g(x,r,s) = T1(x)+r1 T2(x)+r2 Tk(x)+rk … –r1+s1 –s1 –r2+s2 –sk-1–rk Remaining Challenge Coming up… How to encode “complex” f by g  NC0? • Observation: enough to obtain const. degree encoding • Locality Reduction:degree 3 poly over GF(2)  locality 4rand. encoding f(x) = T1(x) + T2(x) + … + Tk(x)

  26. hencodes g h’encodes f Concatenation Lemma: … f g(1)encodes f(1) g(l)encodes f(l) g encodes f g encodes f … … Manipulating Encodings Composition Lemma:

  27. … … … … … … … … s s s … … … … … … t t t degree 3 … … NC04 … … … … … … … … … … … … … … … … … … … … … … NC04 … From Branching Programs to locality 4 poly-size BPs f (1) f (2) f (l) … coming up... composition g(1) g(l) g(2) locality reduction h(1) h(2) h(l) concatenation h locality 4

  28. y3 y1 y2 x5 x2 x3 x4 x1 y1,y2 ,y3 y1=NAND(x1 , x2)= x1(1-x2)+(1-x1)x2+(1-x1)(1-x2) y2=NAND(x3 , x4) y3=NAND(y1 ,y2) 1=NAND(y3 , x5) f(x)=1  Note:  !y1, y2 , y3 3 Ways to Degree 3 1. Degree-3 encoding using a circuit representation

  29. p(x, y,r)= riqi(x,y) deg.-3 f(x)=0  P(x)is uniform f(x)=1  P(x) 0given y=y0, otherwise itis uniform • Statistical distance amplified to 1/2 by 2(k) repetitions. Using circuit representation (contd.) q1(x,y)=0 q2(x,y)=0 ... qk(x,y)=0 deg.-2 • works over any field • complexity exponential in circuit size

  30. Fact from number theory: 2. Degree-3 encoding using quadratic characters • Let N=2n, b = length-N truth-table of f, F=GF(q) • Define p(x1,…,xn, r) = • one polynomial • huge field size

  31. t s 3. Perfect Degree-3 Encoding from Branching Programs BP=(G, s , t, edge-labeling) Gx=subgraph induced by x t s mod-q NBP: f(x) = # s-t paths in Gx (mod q) • size = # of vertices • circuit-size  BP-size  formula-size • Boolean case: q=2

  32. BP=(G, s, t, edge-labeling) Gx=subgraph induced by x t t s s mod-q BP: f(x) = # st paths in Gx mod q. size(BP) * * * *-1 * * *0 -1 * *0 0 -1 * Lemma:degree-1 mapping L : x s.t. det(L(x))= f(x). detL(x) (= f(x)) Encoding based on Lemma:g(x,r1,r2)= R1(r1)L(x)R2(r2) 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 -1 -1 0 0 0 *-10 0 00 -10 0 0 0 -10 1 0 0*0 1 0* 0 0 1*0 0 0 1 1* * *0 1* *0 0 1*0 0 0 1 Perfect Degree-3 Encoding of BPs Correctness:f(x)=detg(x,r1,r2) 1 * * * 0 1 * * 0 0 1 * 0 0 0 1 1* * *0 1* *0 0 1*0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0*0 1 0* 0 0 1*0 0 0 1 1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1 0 0 0 *-10 0 00 -10 0 0 0 -10 * * * *-1 * * 00 -1 * 0 0 0 -10 = Privacy: 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 g(x,r1,r2) 

  33. s t s t Proof of Lemma * * * *-1 * * * 0 -1 * * 0 0 -1 * Lemma:degree-1 mapping L : x s.t. det(L(x))= f(x). Proof: A(x)= adjacancy matrix of Gx (over F=GF(q)) A* = I+A+A2+… = (I-A)-1 (-1)s+t det (I-A)|t,s / det (I-A) A*s,t = = det (A-I)|t,s L(x)= (A(x)-I)|t,s 0 * * * * 0 0 * * * 0 0 0 * * 0 0 0 0 * 0 0 0 0 0 -1 * * * * 0 -1 * * * 0 0 -1 * * 0 0 0 -1 * 0 0 0 0 -1 L= A=

  34. Thm. size-s BP  degree 3 encoding of size O(s2) • perfect encoding for mod-q BP (capturing L/poly for q=2) • large q: useful for (comp.-secure) two-party computation • imperfect for nondeterministic BP (capturing NL/poly)

  35. The secure evaluation of an arbitrary functionality can be reduced to the secure evaluation of degree-3 polynomials. • Q: How many rounds? • How many rounds for maximal privacy? • How much privacy in 2 rounds? 3 rounds suffice t<k/3 suffices • perfect privacy + correctness • complexity O(BP-size2)

  36. Thm . [IK00] A boolean function f admits a perfectly private degree-2 encoding over F if and only if either: • f or its negation test for a linear condition Ax=b over F; • f admits standard representation by a degree-2 polynomial over F. Is 3 minimal?

  37. g x r  comp Enc(y) Computationally Private Encodings [AIK05] • Known: f L encoding inNC0 • Goal:fP  encoding in NC0 • Idea: relax encoding requirement • Respects security of most primitives • Thm:fP  computational encoding in NC04 assuming “easy PRG” (min-PRG  L) • “Easy PRG” can be based on factoring, discrete-log, lattices

  38. one-time symmetric encryption NC0[min-PRG] Proof Outline Thm. “easy PRG” encoding in NC0 for allfP f  P gNC0[ ] one-time symmetric encryption gNC0[min-PRG] Yao garbled circuit gL hNC04 easy PRG [AIK04]

  39. App 1: Relaxed Assumptions for Crypto in NC0 • Using encoding: comp. perfect OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK Assuming “easy PRG” Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK  NC0   L exist

  40. NC0 NC0 App 2: Parallel Reductions Between Primitives • Proof: given code of min-PRG • Construct f  P[min-PRG] via known reduction • Use code of f to construct g  NC0[min-PRG] • Note: non-black-box reduction! • What about NC reductions? • Much less is known…. • New Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, … • Thm. All are equivalent under poly-time reductions NR NC1 Sym-Enc PRF Synthesizer HILL Viola AIK NC0 NC0 “Regular” OWF Signature min-PRG PRG OWF Naor NC0 NC0 Commit

  41. App 3: Secure Multiparty Computation • In case you don’t insist on unconditional security… • Secure computatoin of every func. fefficiently reduces to deg-3 poly • … asuming “easy PRG” • In particular: • Protocols desribed by Ivan imply const. round computationally secure MPC for everyf • (Known assuming any PRG [BMR90,DI05]; however, current approach is conceptually simpler.)

  42. Summary • Different flavors of randomized encoding • Motivated by different applications • Round-efficient secure computation • Parallel cryptography • “Simplest” encodings: outputs of form xirjrk+rh • Efficient for various “intermediate complexity” classes (NC1, NL/poly, modqL/poly) • Algebraic approach • “Combinatorial” approach: information-theoretic garbled circuit • Computationally private encodings: efficient for all P (assuming “Easy PRG”)

  43. poly-size NC0 encoding for every fP? • efficient constant-round protocol for every fP? • OWF  • OWF in NC0? • OWF in NC1 • OWF in NC03? • locality 3 for every f? • maximal privacy with minimal interaction? • better const-round protocols? • better encodings? • practical hardware? Open Questions Randomized encoding Unconditionally secure MPC Parallel crypto

More Related