440 likes | 549 Vues
Randomization Techniques for Multiparty Computation. Yuval Ishai. Technion. Lesson. “ Unconditionally secure cryptography ” is useful! … even if you don’t care about unconditional security … even if you don’t care about cryptography Today: randomization techniques parallel crypto
E N D
Randomization Techniquesfor Multiparty Computation Yuval Ishai Technion
Lesson • “Unconditionally secure cryptography” is useful! • … even if you don’t care about unconditional security • … even if you don’t care about cryptography • Today: randomization techniques parallel crypto • Tomorrow: PIR locally decodable codes
Interested in unconditional security in cryptography? yes no yes Interested in cryptography? no yes Interested in Science? no yes Like traveling, good food, etc.? no You came to the right place! Go home!* *return ticket will NOT be paid by organizers
decoder g x r simulator The Basic Question Dec(g(x,r)) = f(x) f x y Sim(f(x)) g(x,r) • g is a “randomized encoding” of f • Nontrivial relaxation of computing f • Hope: g can be “simpler” than f • Meaning of “simpler” determined by application Enc(y) Enc(y) Variants:perfect, stat., comp. “pure IT”
Randomized Encoding - Syntax g f r x x random inputs inputs inputs f(x) is encoded by g(x,r)
Randomized Encoding - Semantics • Correctness: f(x) can be efficiently decoded from g(x,r). f(x)≠ f(w) g(x,U) x r w g(w,U) r • Privacy: efficient simulator S s.t. S(f(x))≡ g(x,U) • g(x,U) depends only on f(x) f(x)= f(w) g(x,U) x r w g(w,U) ≡ r
xB xA Alice Bob Carol f(xA,xB) Notions of Simplicity - I • 2-decomposability:g((xA,xB),r)=(gA(xA,r),gB(xB,r)) • Application: two-party “private simultaneous messages” protocols [Feige, Kilian, Naor 94, …] r gA(xA,r) gB(xB,r)
rRG xA+r xB-r mA+mB Example: sum • f(xA,xB) = xA+xB (xA,xB finite group G) xB xA Alice Bob Carol
r1RF \ {0} , r2RF r1xA+r2 r1xB+r2 mA=mB ? Example: equality • f(xA,xB) = equality (xA,xBfinite field F) xB xA Alice Bob Carol
..... ..... ts t1 ts+1 t2 ts-1 tm Example: ANY function • f(xA,xB) = xA xB (xA,xB{0,1}) • Reduction to equality: xA 1/0, xB 2/0 • General boolean f: write as disjoint 2-DNF • f(xA,xB) = (a,b):f(a,b)=1 (xA=a xB=b) = t1 t2 … tm Exponential complexity 00000000000 0 00000100000 1
xA Alice gn(0,r) gn(1,r) gA(xA,r) OT OT OT OT OT xn xB f(xA,xB) Bob Notions of Simplicity - II • Full decomposability:g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r)) • Application: 1-round SFE to OT reductions [Kilian 88, ...] Dishonest Alice? r gn(xn,r)
Example: iterated group product • Abelian case • f(x1,…,xn)=x1+x2+…+xn • g(x, (r1,…,rn-1)) = x1+r1 x2+r2 … xn-1+rn-1 xn-r1-…-rn-1 • General case [Kil88] • f(x1,…,xn)=x1x2 …xn • g(x, (r1,…,rn-1)) = x1r1r1-1x2r2r2-1x2r3 … rn-2-1xn-1rn-1rn-1-1xn
Thm[Barrington 86]Every boolean fNC1 can be computed by a poly-length, width-5 branching program. r1-12r2 1r1 rm-1-1m • f(x1,…,xn) reduces to 12 …m where: • i S5 • Each i depends on a singlexj • distinct 0,1 S5s.t. 12 …m = f(x) f g … … ..… r1 r2 rm-1 x1 x1 x2 x2 xn xn Example: iterated group product Encoding iterated group product123 …m1r1r1-12r2r2-13r3…rm-1-1m • Every output bit of g depends on just a single bit of x • Efficient fully decomposable encoding for every fNC1
Notions of Simplicity - III • Low degree:g(x,r) = vector of degree-d poly in x,r over F • aka “Randomizing Polynomials” [I, Kushilevitz 00,…] • Application: round-efficient MPC • Motivating observation: Low-degree functions are easy to distribute! • Round complexity of MPC protocols [BGW88,CCD88,CDM00,…] • Semi-honest model • t<n/d 2 rounds • t<n/2 multiplicative depth + 1 =log d+1 rounds • Malicious model • Optimal t O(log d) rounds • Randomized func. g reduces to a deterministic degree-d func. g’ • g’((x1, r1), … ,(xn,rn)) = g((x1,…,xn),(r1+…+rn)) • Security of reduction is “model independent”
r1-12r2 1r1 rm-1-1m f g … … ..… r1 r2 rm-1 x1 x1 x2 x2 xn xn Examples • What’s wrong with previous examples? • Great degree in x (degx=1), bad in r • Coming up: • Degree-3 encoding for every f • Efficient in size of branching program RS5
x r Notions of Simplicity - IV • Small locality: • Application: parallel cryptography! [Applebaum, I, Kushilevitz 04,…] • Coming up: encodings with locality 4 • degree 3, fully decomposable • efficient in size of branching program
Parallel Cryptography How low can we get? poly-time NC log-space NC1 AC0 NC0
Tempting conjecture: [CM]: Yes crypto hardness “complex” function [G]: No Cryptography in NC0? • Longstanding open question Håstad 87 Impagliazzo Naor 89 Goldreich 00 Cryan Miltersen 01 Krause Lucks 01 Mossel Shpilka Trevisan 03 • Real-life motivation: super-fast cryptographic hardware
Main Primitives OWF find xf -1(y) f Uin y = f(Uin) poly-time PRG Pseudorandom or Random? f Uin f(Uin) …. …. Uout …. poly-time
OWF open open Surprising Positive Result [AIK04] Compile primitives in a “relatively high” complexity class (e.g., NC1, NL/poly, L/poly) into ones in NC0. NC1 cryptography implied by factoring, discrete-log, lattices… essentially settles open question locality 4 OWF NC1 NC1 NC1 NC1 factoring, discrete-log, lattices, … TC0 TC0 TC0 TC0 subset-sum AC0 AC0 AC0 AC0 impossible NC0 NC0 NC0 NC0 NC04 NC04 NC04 NC04 low stretch NC03 NC03 NC02 NC02 NC02 NC02 PRG OWF
Encoding a OWF y B z Simulator x (x,r) yRf(Un) zRg(Un,Um) A prob p prob p Dec(g(x,r)) = f(x) Sim(f(x)) g(x,r) Thm. f(x) is a OWF g(x,r) is a OWF Proof: inverter B for g inverter A for f g(x,r)=z g(x,r)=z f(x)=y • A succeeds whenever B succeeds • Dec(z) = Dec(g(x,r)) = f(x) • Dec(z) = Dec(Sim(y)) = y • A generates a correct input distribution for B • Sim(f(Un)) = g(Un,Um)
Encoding a PRG • Want: f(x) is a PRG g(x,r) is a PRG • Problems: • output of g may not be pseudorandom • g may shrink its input • Solution: “perfect” randomized encoding • respects pseudorandomness, additive stretch, … • stretch of g is typically sublinear even if that of f is superlinear • most (not all) known constructions give perfectness for free
Additional Cryptographic Primitives • General compiler also applies to: • one-way / trapdoor permutations • collision-resistant hashing • public key / symmetric encryption • signatures / MACs • commitments • … • Caveat: decryption / verification not in NC0… • … But: can commit in NC0 with decommit in NC0[AND] • Applications: coin-flipping, zero-knowledge, …
Non-cryptographic PRGs • ε-biasedgenerators [Mossel Shpilka Trevisan 03]:superlinear stretch in NC05 • Current work: linear stretch in NC03 • optimal locality, stretch • PRGs for space-bounded computation
… g(x,r,s) = T1(x)+r1 T2(x)+r2 Tk(x)+rk … –r1+s1 –s1 –r2+s2 –sk-1–rk Remaining Challenge Coming up… How to encode “complex” f by g NC0? • Observation: enough to obtain const. degree encoding • Locality Reduction:degree 3 poly over GF(2) locality 4rand. encoding f(x) = T1(x) + T2(x) + … + Tk(x)
hencodes g h’encodes f Concatenation Lemma: … f g(1)encodes f(1) g(l)encodes f(l) g encodes f g encodes f … … Manipulating Encodings Composition Lemma:
… … … … … … … … … s s s … … … … … … t t t degree 3 … … NC04 … … … … … … … … … … … … … … … … … … … … … … NC04 … From Branching Programs to locality 4 poly-size BPs f (1) f (2) f (l) … coming up... composition g(1) g(l) g(2) locality reduction h(1) h(2) h(l) concatenation h locality 4
y3 y1 y2 x5 x2 x3 x4 x1 y1,y2 ,y3 y1=NAND(x1 , x2)= x1(1-x2)+(1-x1)x2+(1-x1)(1-x2) y2=NAND(x3 , x4) y3=NAND(y1 ,y2) 1=NAND(y3 , x5) f(x)=1 Note: !y1, y2 , y3 3 Ways to Degree 3 1. Degree-3 encoding using a circuit representation
p(x, y,r)= riqi(x,y) deg.-3 f(x)=0 P(x)is uniform f(x)=1 P(x) 0given y=y0, otherwise itis uniform • Statistical distance amplified to 1/2 by 2(k) repetitions. Using circuit representation (contd.) q1(x,y)=0 q2(x,y)=0 ... qk(x,y)=0 deg.-2 • works over any field • complexity exponential in circuit size
Fact from number theory: 2. Degree-3 encoding using quadratic characters • Let N=2n, b = length-N truth-table of f, F=GF(q) • Define p(x1,…,xn, r) = • one polynomial • huge field size
t s 3. Perfect Degree-3 Encoding from Branching Programs BP=(G, s , t, edge-labeling) Gx=subgraph induced by x t s mod-q NBP: f(x) = # s-t paths in Gx (mod q) • size = # of vertices • circuit-size BP-size formula-size • Boolean case: q=2
BP=(G, s, t, edge-labeling) Gx=subgraph induced by x t t s s mod-q BP: f(x) = # st paths in Gx mod q. size(BP) * * * *-1 * * *0 -1 * *0 0 -1 * Lemma:degree-1 mapping L : x s.t. det(L(x))= f(x). detL(x) (= f(x)) Encoding based on Lemma:g(x,r1,r2)= R1(r1)L(x)R2(r2) 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 -1 -1 0 0 0 *-10 0 00 -10 0 0 0 -10 1 0 0*0 1 0* 0 0 1*0 0 0 1 1* * *0 1* *0 0 1*0 0 0 1 Perfect Degree-3 Encoding of BPs Correctness:f(x)=detg(x,r1,r2) 1 * * * 0 1 * * 0 0 1 * 0 0 0 1 1* * *0 1* *0 0 1*0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0*0 1 0* 0 0 1*0 0 0 1 1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1 0 0 0 *-10 0 00 -10 0 0 0 -10 * * * *-1 * * 00 -1 * 0 0 0 -10 = Privacy: 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 1 $ $ $0 1 $ $0 0 1 $0 0 0 1 * * * *-1 * * *0 -1 * * 0 0 -1 * 1 0 0 $0 1 0 $ 0 0 1 $0 0 0 1 g(x,r1,r2)
s t s t Proof of Lemma * * * *-1 * * * 0 -1 * * 0 0 -1 * Lemma:degree-1 mapping L : x s.t. det(L(x))= f(x). Proof: A(x)= adjacancy matrix of Gx (over F=GF(q)) A* = I+A+A2+… = (I-A)-1 (-1)s+t det (I-A)|t,s / det (I-A) A*s,t = = det (A-I)|t,s L(x)= (A(x)-I)|t,s 0 * * * * 0 0 * * * 0 0 0 * * 0 0 0 0 * 0 0 0 0 0 -1 * * * * 0 -1 * * * 0 0 -1 * * 0 0 0 -1 * 0 0 0 0 -1 L= A=
Thm. size-s BP degree 3 encoding of size O(s2) • perfect encoding for mod-q BP (capturing L/poly for q=2) • large q: useful for (comp.-secure) two-party computation • imperfect for nondeterministic BP (capturing NL/poly)
The secure evaluation of an arbitrary functionality can be reduced to the secure evaluation of degree-3 polynomials. • Q: How many rounds? • How many rounds for maximal privacy? • How much privacy in 2 rounds? 3 rounds suffice t<k/3 suffices • perfect privacy + correctness • complexity O(BP-size2)
Thm . [IK00] A boolean function f admits a perfectly private degree-2 encoding over F if and only if either: • f or its negation test for a linear condition Ax=b over F; • f admits standard representation by a degree-2 polynomial over F. Is 3 minimal?
g x r comp Enc(y) Computationally Private Encodings [AIK05] • Known: f L encoding inNC0 • Goal:fP encoding in NC0 • Idea: relax encoding requirement • Respects security of most primitives • Thm:fP computational encoding in NC04 assuming “easy PRG” (min-PRG L) • “Easy PRG” can be based on factoring, discrete-log, lattices
one-time symmetric encryption NC0[min-PRG] Proof Outline Thm. “easy PRG” encoding in NC0 for allfP f P gNC0[ ] one-time symmetric encryption gNC0[min-PRG] Yao garbled circuit gL hNC04 easy PRG [AIK04]
App 1: Relaxed Assumptions for Crypto in NC0 • Using encoding: comp. perfect OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK Assuming “easy PRG” Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK NC0 L exist
NC0 NC0 App 2: Parallel Reductions Between Primitives • Proof: given code of min-PRG • Construct f P[min-PRG] via known reduction • Use code of f to construct g NC0[min-PRG] • Note: non-black-box reduction! • What about NC reductions? • Much less is known…. • New Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, … • Thm. All are equivalent under poly-time reductions NR NC1 Sym-Enc PRF Synthesizer HILL Viola AIK NC0 NC0 “Regular” OWF Signature min-PRG PRG OWF Naor NC0 NC0 Commit
App 3: Secure Multiparty Computation • In case you don’t insist on unconditional security… • Secure computatoin of every func. fefficiently reduces to deg-3 poly • … asuming “easy PRG” • In particular: • Protocols desribed by Ivan imply const. round computationally secure MPC for everyf • (Known assuming any PRG [BMR90,DI05]; however, current approach is conceptually simpler.)
Summary • Different flavors of randomized encoding • Motivated by different applications • Round-efficient secure computation • Parallel cryptography • “Simplest” encodings: outputs of form xirjrk+rh • Efficient for various “intermediate complexity” classes (NC1, NL/poly, modqL/poly) • Algebraic approach • “Combinatorial” approach: information-theoretic garbled circuit • Computationally private encodings: efficient for all P (assuming “Easy PRG”)
poly-size NC0 encoding for every fP? • efficient constant-round protocol for every fP? • OWF • OWF in NC0? • OWF in NC1 • OWF in NC03? • locality 3 for every f? • maximal privacy with minimal interaction? • better const-round protocols? • better encodings? • practical hardware? Open Questions Randomized encoding Unconditionally secure MPC Parallel crypto