# Randomization Techniques for Multiparty Computation Yuval Ishai Technion.

## Presentation on theme: "Randomization Techniques for Multiparty Computation Yuval Ishai Technion."— Presentation transcript:

Randomization Techniques for Multiparty Computation Yuval Ishai Technion

Lesson “Unconditionally secure cryptography” is useful! –… even if you don’t care about unconditional security –… even if you don’t care about cryptography Today: randomization techniques  parallel crypto Tomorrow: PIR  locally decodable codes

You came to the right place! Go home! * *return ticket will NOT be paid by organizers Interested in unconditional security in cryptography? Interested in cryptography? Interested in Science? Like traveling, good food, etc.? no yes

Enc(y) The Basic Question g is a “randomized encoding” of f –Nontrivial relaxation of computing f Hope: g can be “simpler” than f –Meaning of “simpler” determined by application xy f Enc(y)x g r decoder simulator Dec(g(x,r)) = f(x) Sim(f(x))  g(x,r) Variants: perfect, stat., comp. “pure IT”

Randomized Encoding - Syntax g r inputs random inputs f x inputs x f(x) is encoded by g(x,r)

f(x) = f(w)  Randomized Encoding - Semantics Correctness: f(x) can be efficiently decoded from g(x,r). Privacy:  efficient simulator S s.t. S( f(x)) ≡ g(x,U) – g(x,U) depends only on f(x) f(x) ≠ f(w)  r w g(w,U) g(x,U) r x ≡ r w g(w,U) g(x,U) r x

Notions of Simplicity - I 2-decomposability: g((x A,x B ),r)=(g A (x A,r),g B (x B,r)) –Application: two-party “private simultaneous messages” protocols [Feige, Kilian, Naor 94, …] r xAxA xBxB AliceBob Carol f(x A,x B ) g A (x A,r)g B (x B,r)

Example: sum f(x A,x B ) = x A +x B (x A,x B  finite group G) xAxA xBxB AliceBob Carol rRGrRG m A +m B x A +r x B -r

Example: equality f(x A,x B ) = equality (x A,x B  finite field F) xAxA xBxB AliceBob Carol r 1  R F \ {0}, r 2  R F m A =m B ? r 1 x A +r 2 r 1 x B +r 2

Example: ANY function f(x A,x B ) = x A  x B (x A,x B  {0,1}) –Reduction to equality: x A  1/0, x B  2/0 General boolean f: write as disjoint 2-DNF –f(x A,x B ) =  (a,b):f(a,b)=1 (x A =a  x B =b) = t 1  t 2  …  t m 00000100000  1 00000000000  0 tsts t s+1 t s-1..... t1t1 t2t2 tmtm Exponential complexity

Notions of Simplicity - II Full decomposability: g((x 1,…,x n ),r)=(g 1 (x 1,r),…,g n (x n,r)) –Application: 1-round SFE to OT reductions [Kilian 88,...] r xAxA xBxB Alice Bob f(x A,x B ) g A (x A,r) OT Dishonest Alice? g n (0,r)g n (1,r) xnxn g n (x n,r)

Example: iterated group product Abelian case –f(x 1,…,x n )=x 1 +x 2 +…+x n –g(x, (r 1,…,r n-1 )) = x 1 +r 1 x 2 +r 2 … x n-1 +r n-1 x n -r 1 -…-r n-1 General case [Kil88] –f(x 1,…,x n )=x 1 x 2 … x n –g(x, (r 1,…,r n-1 )) = x 1 r 1 r 1 -1 x 2 r 2 r 2 -1 x 2 r 3 … r n-2 -1 x n-1 r n-1 r n-1 -1 x n

Example: iterated group product f(x 1,…,x n ) reduces to  1  2  …  m where:  i  S 5 Each  i depends on a single x j  distinct  0,  1  S 5 s.t.  1  2  …  m =  f(x) Thm [Barrington 86] Every boolean f  NC 1 can be computed by a poly-length, width-5 branching program. Encoding iterated group product  1  2  3  …  m   1 r 1 r 1 -1  2 r 2 r 2 -1  3 r 3 … r m-1 -1  m g r1r1 f x1x1 x2x2 xnxn x1x1 x2x2 xnxn r2r2 r m-1 … …..… 1r11r1 r 1 -1  2 r 2 r m-1 -1  m Every output bit of g depends on just a single bit of x  Efficient fully decomposable encoding for every f  NC 1

Notions of Simplicity - III Low degree: g(x,r) = vector of degree-d poly in x,r over F –aka “Randomizing Polynomials” [I, Kushilevitz 00,…] –Application: round-efficient MPC Motivating observation: Low-degree functions are easy to distribute! –Round complexity of MPC protocols [BGW88,CCD88,CDM00,…] Semi-honest model –t { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/13/4047921/slides/slide_15.jpg", "name": "Notions of Simplicity - III Low degree: g(x,r) = vector of degree-d poly in x,r over F –aka Randomizing Polynomials [I, Kushilevitz 00,…] –Application: round-efficient MPC Motivating observation: Low-degree functions are easy to distribute.", "description": "–Round complexity of MPC protocols [BGW88,CCD88,CDM00,…] Semi-honest model –t

Examples What’s wrong with previous examples? –Great degree in x (deg x =1), bad in r Coming up: –Degree-3 encoding for every f –Efficient in size of branching program g r1r1 f x1x1 x2x2 xnxn x1x1 x2x2 xnxn r2r2 r m-1 … …..… 1r11r1 r 1 -1  2 r 2 r m-1 -1  m RS5RS5

Notions of Simplicity - IV Small locality: –Application: parallel cryptography! [Applebaum, I, Kushilevitz 04,…] Coming up: encodings with locality 4 –degree 3, fully decomposable –efficient in size of branching program xr

Parallel Cryptography poly-time NC log-space NC 1 AC 0 NC 0 How low can we get?

Cryptography in NC 0 ? Tempting conjecture: crypto hardness“complex” function Longstanding open question Håstad 87 Impagliazzo Naor 89 Goldreich 00 Cryan Miltersen 01 Krause Lucks 01 Mossel Shpilka Trevisan 03 Real-life motivation: super-fast cryptographic hardware [CM]: Yes [G]: No

Main Primitives f …. f(U in ) U out poly-time f OWF U in y = f(U in ) poly-time find x  f -1 (y) PRG U in Pseudorando m or Random?

AC 0 Compile primitives in a “relatively high” complexity class (e.g., NC 1, NL/poly,  L/poly) into ones in NC 0. Surprising Positive Result [AIK04] NC 1 cryptography implied by factoring, discrete-log, lattices…  essentially settles open question OWF locality 4 NC 0 2 NC 0 3 NC 0 NC 1 NC 0 2 NC 0 3 NC 0 NC 1 PRGOWF factoring, discrete-log, lattices, … subset-sum impossible NC 0 2 NC 1 TC 0 NC 0 4 low stretch open AC 0 NC 0 NC 0 4 AC 0 NC 0 NC 0 4

Encoding a OWF Thm. f(x) is a OWF  g(x,r) is a OWF Proof: inverter B for g  inverter A for f g(x,r)=zf(x)=y x A Simulator y B (x,r) z A succeeds whenever B succeeds –Dec(z) = Dec(g(x,r)) = f(x) –Dec(z) = Dec(Sim(y)) = y z  R g(U n,U m ) prob p y  R f(U n ) prob  p A generates a correct input distribution for B –Sim(f(U n )) = g(U n,U m ) g(x,r)=z Dec(g(x,r)) = f(x) Sim(f(x))  g(x,r)

Want: f(x) is a PRG  g(x,r) is a PRG Problems: –output of g may not be pseudorandom –g may shrink its input Solution: “perfect” randomized encoding –respects pseudorandomness, additive stretch, … –stretch of g is typically sublinear even if that of f is superlinear –most (not all) known constructions give perfectness for free Encoding a PRG

Additional Cryptographic Primitives General compiler also applies to: –one-way / trapdoor permutations –collision-resistant hashing –public key / symmetric encryption –signatures / MACs –commitments –…–… Caveat: decryption / verification not in NC 0 … –… But: can commit in NC 0 with decommit in NC 0 [AND] –Applications: coin-flipping, zero-knowledge, …

Non-cryptographic PRGs ε-biased generators [Mossel Shpilka Trevisan 03]: superlinear stretch in NC 0 5 – Current work: linear stretch in NC 0 3 optimal locality, stretch PRGs for space-bounded computation

Remaining Challenge How to encode “complex” f by g  NC 0 ? Observation: enough to obtain const. degree encoding Locality Reduction: degree 3 poly over GF(2)  locality 4 rand. encoding f(x) = T 1 (x) + T 2 (x) + … + T k (x) g(x,r,s) =T 1 (x)+r 1 T 2 (x)+r 2 T k (x)+r k … –r1+s1–r1+s1 –s 1 –r 2 +s 2 –s k-1 –r k … Coming up…

Manipulating Encodings Composition Lemma: f h encodes g h’ encodes f g encodes f Concatenation Lemma: g (1) encodes f (1) … g (l) encodes f (l) g encodes f … …

From Branching Programs to locality 4 … f (1) f (2) s t s t f (l) poly-size BPs … … … … … … … … … … … … … … … … degree 3 coming up... locality reduction concatenation s t …… …… …… … …… … … NC 0 4 …… …… …… …… …… …… … g (1) g (2) g(l)g(l) h (1) h (2) h(l)h(l) composition h locality 4

3 Ways to Degree 3 1. Degree-3 encoding using a circuit representation f(x)=1f(x)=1  y 1, y 2, y 3 y 1 =NAND(x 1, x 2 )= x 1 (1-x 2 )+(1-x 1 )x 2 +(1-x 1 )(1-x 2 ) y 2 =NAND(x 3, x 4 ) y 3 =NAND(y 1, y 2 ) 1 =NAND(y 3, x 5 )  Note:   ! y 1, y 2, y 3 x1x1 x2x2 x3x3 x4x4 y1y1 y2y2 x5x5 y3y3

Using circuit representation (contd.) q 1 (x,y)= 0 q 2 (x,y)= 0... q k (x,y)=0 deg.-2 p(x, y,r)=  r i q i (x,y) f(x)=0  P(x) is uniform f(x)=1  P(x)  0 given y=y 0, otherwise it is uniform Statistical distance amplified to 1/2 by 2  (k) repetitions. deg.-3 works over any field complexity exponential in circuit size

one polynomial huge field size 2. Degree-3 encoding using quadratic characters Fact from number theory: Let N=2 n, b = length-N truth-table of f, F=GF(q) Define p(x 1,…,x n, r) =

3. Perfect Degree-3 Encoding from Branching Programs s t s t BP=(G, s, t, edge-labeling)G x =subgraph induced by x mod-q NBP: f(x) = # s-t paths in G x (mod q) size = # of vertices circuit-size  BP-size  formula-size Boolean case: q=2

1 * * * 0 1 * * 0 0 1 * 0 0 0 1 1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1 1 * * * 0 1 * * 0 0 1 * 0 0 0 1 1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1 Perfect Degree-3 Encoding of BPs s t s t BP=(G, s, t, edge-labeling)G x =subgraph induced by x mod-q BP: f(x) = # s  t paths in G x mod q. Lemma:  degree-1 mapping L : x  s.t. det(L(x))= f(x). * * * * -1 * * * 0 -1 * * 0 0 -1 * size(BP) 1 \$ \$ \$ 0 1 \$ \$ 0 0 1 \$ 0 0 0 1 * * * * -1 * * * 0 -1 * * 0 0 -1 * 1 0 0 \$ 0 1 0 \$ 0 0 1 \$ 0 0 0 1 Encoding based on Lemma: g(x,r 1,r 2 )= R 1 (r 1 )  L(x)  R 2 (r 2 ) det L(x) (= f(x)) * * * * -1 * * 0 0 -1 * 0 0 0 -1 0 0 0 0 * -1 0 0 0 0 -1 0 0 0 0 -1 0 Correctness: f(x)=det g(x,r 1,r 2 ) Privacy: * * * * -1 * * * 0 -1 * * 0 0 -1 * 0 0 0 * -1 0 0 0 0 -1 0 0 0 0 -1 0 1 \$ \$ \$ 0 1 \$ \$ 0 0 1 \$ 0 0 0 1 * * * * -1 * * * 0 -1 * * 0 0 -1 * 1 0 0 \$ 0 1 0 \$ 0 0 1 \$ 0 0 0 1 1 0 0 * 0 1 0 * 0 0 1 * 0 0 0 1 1 * * * 0 1 * * 0 0 1 * 0 0 0 1 = 1 0 0 \$ 0 1 0 \$ 0 0 1 \$ 0 0 0 1 1 \$ \$ \$ 0 1 \$ \$ 0 0 1 \$ 0 0 0 1 g(x,r 1,r 2 ) 

-1 * * * * 0 -1 * * * 0 0 -1 * * 0 0 0 -1 * 0 0 0 0 -1 Proof of Lemma A(x)= adjacancy matrix of G x (over F=GF(q)) A * = I+A+A 2 +… = (I-A) -1 A * s,t = 0 * * * * 0 0 * * * 0 0 0 * * 0 0 0 0 * 0 0 0 0 0 = det (A-I)| t,s L(x)= (A(x)-I)| t,s Lemma:  degree-1 mapping L : x  s.t. det(L(x))= f(x). * * * * -1 * * * 0 -1 * * 0 0 -1 * Proof: (-1) s+t  det (I-A)| t,s / det (I-A) A=A= L=L= s t t s

Thm. size-s BP  degree 3 encoding of size O(s 2 ) perfect encoding for mod-q BP (capturing  L/poly for q=2) large q: useful for (comp.-secure) two-party computation imperfect for nondeterministic BP (capturing NL/poly)

Q: How many rounds? How many rounds for maximal privacy? How much privacy in 2 rounds? 3 rounds suffice t { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/13/4047921/slides/slide_36.jpg", "name": "Q: How many rounds. How many rounds for maximal privacy.", "description": "How much privacy in 2 rounds. 3 rounds suffice t

Thm. [IK00] A boolean function f admits a perfectly private degree-2 encoding over F if and only if either: for its negation test for a linear conditionAx=b overF; fadmits standard representation by a degree-2 polynomial overF. Is 3 minimal?

Computationally Private Encodings [AIK05] Known: f   L  encoding in NC 0 Goal: f  P  encoding in NC 0 Idea: relax encoding requirement Respects security of most primitives Thm: f  P  computational encoding in NC 0 4 assuming “easy PRG” (min-PRG   L) x g r Enc(y) comp  “Easy PRG” can be based on factoring, discrete-log, lattices

Proof Outline Thm. “easy PRG”  encoding in NC 0 for all f  P f  Pg  NC 0 [ ]g  NC 0 [min-PRG] g  L h  NC 0 4 Yao garbled circuit easy PRG [AIK04] one-time symmetric encryption  NC 0 [min-PRG]

exist perfect Using encoding: comp. App 1: Relaxed Assumptions for Crypto in NC 0 OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK   L L  NC 0 Assuming “easy PRG” OWF OWP PRG Hash Sym-Enc PK-Enc Signature Commit NIZK

Proof: given code of min-PRG Construct f  P[min-PRG] via known reduction Use code of f to construct g  NC 0 [min-PRG] Note: non-black-box reduction! Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, … What about NC reductions? Much less is known…. New Thm. All are equivalent under poly-time reductions App 2: Parallel Reductions Between Primitives OWF min-PRG PRG Commit Sym-Enc Signature Synthesizer NC 0 “Regular” OWF NC 1 NC 0 PRF NC 0 HILL Viola AIK NR Naor

In case you don’t insist on unconditional security… Secure computatoin of every func. f efficiently reduces to deg-3 poly … asuming “easy PRG” In particular: Protocols desribed by Ivan imply const. round computationally secure MPC for every f (Known assuming any PRG [BMR90,DI05]; however, current approach is conceptually simpler.) App 3: Secure Multiparty Computation

Summary Different flavors of randomized encoding –Motivated by different applications Round-efficient secure computation Parallel cryptography “Simplest” encodings: outputs of form x i r j r k +r h –Efficient for various “intermediate complexity” classes (NC 1, NL/poly, mod q L/poly) Algebraic approach “Combinatorial” approach: information-theoretic garbled circuit –Computationally private encodings: efficient for all P (assuming “Easy PRG”)

Open Questions Randomized encoding Unconditionally secure MPC Parallel crypto poly-size NC 0 encoding for every f  P? efficient constant- round protocol for every f  P?  OWF   OWF in NC 0 ? locality 3 for every f? maximal privacy with minimal interaction?  OWF in NC 1   OWF in NC 0 3 ? better encodings? better const-round protocols? practical hardware?