Cryptography in Constant Parallel Time

Talk based on joint works with Yuval Ishai and Eyal Kushilevitz

(FOCS 04, CCC 05, RANDOM 06, CRYPTO 07)

Benny Applebaum (Technion Princeton)

• Part 1: Crypto in NC0 – Survey

-The basic question

- Main results

- Main tool: randomized encoding of functions

• Part 2: Crypto in CN0 [AIK 07]

-The basic question

- Main results

- “Something” about the proof

Talk Outline

Part 1: Crypto in NC0

ZK-Proofs

Signature

Encryption

• Q: What computational resources are needed for cryptography?

• Can cryptographic primitives be computed by very simple functions?

Efficiency of Cryptographic Primitives

• Currently the smallest creature in the complexity zoo

Simple = each output bit depends on O(1) input bits

= const. depth circuits with bounded fan-in

= NC0

NC03

NC0

Cryptography in NC0?

• Tempting conjecture:

crypto hardness “complex” function

• Longstanding open question

Håstad 87

Impagliazzo Naor 89

Goldreich 00

Cryan Miltersen 01

Krause Lucks 01

Mossel Shpilka Trevisan 03

• Real-life motivation: super-fast cryptographic hardware

[CM]: Yes

[G]: No

Basic Primitives:One-way Function (OWF)

f

OWF

Poly-time machine

find xf -1(y)Easy

Hard

x y

Basic Primitives:Pseudorandom Generator (PRG)

RandSrc.

G(Uin)

UoutPoly-time machine

Uin

Pseudorandom or Random?

stretch

G

Def. PRG is minimal if stretch=1

• Positive results– PRG in NC1 from factoring, discrete-log, lattices… – PRF in NC1 from factoring [Naor Reingold 97]

– PRG (sub-lin stretch) in AC0 from subset sum [Impagliazzo Naor 89]

• Permutation in NC0 which is P-complete to invert [Håstad 87]• Function in NC0 which is NP-complete to invert [Agrawal Allender Rudich98]

• Heuristic construction of OWF/PRG in NC0 [Goldreich 00 MST ]

• Negative results– No OWF in NC0

2 [Goldreich 00, Cryan Miltersen 01]

– No PRG with large stretch in NC03, NC0

4 [CM01, MosselShpilkaTrevisan03]

Previous Work

factoring, discrete-log, lattices, …

subset sum

impossible

NC02

NC03

NC04

NC0

AC0

NC1

PRG / OWF

NC02

NC1

AC0

openlow stretch

/PRG MST 03

Our Approach

Compile primitives in a “relatively high” complexity class into ones in NC0.

OWF

locality 4

Compiler

Our Results

Caveats: • We get PRG with sub-linear stretch• decryption / verification not in NC0…

– In fact, impossible to decrypt/verify in NC0 – … But: can commit in NC0 with decommit in NC0[AND] exist

Sufficient Assumptions for Crypto in NC0

OWFPRGHash

Sym-EncPK-EncSignatureCommitNIZK

Sym-EncPK-EncSignatureCommitNIZK

Sym-EncPK-EncSignatureCommitNIZK

NC1 NC0

Assuming min-PRG in NC1 OWFPRGHash

Sym-EncPK-EncSignatureCommitNIZK

factoring, discrete-log/DDH, lattices, …

P factoring

NC1

NC04

OWFPRGHashSym-Enc

PK-EncNI-Com

SignNIZK

factoring

factoring

[AIK 04][AIK 05]

Note: non-black-box reductions!

Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, …

• What about NC reductions?• Much less is known….

• New [AIK05]

• Thm. All are equivalent under poly-time reductions

Parallel Reductions Between Primitives

OWF min-PRG lin-PRG

Commit

Sym-Enc

Signature

Synthesizer

NC1

NC0

“Regular” OWF

NC1

NC0

NC0

NC0

PRFNC0

HILL90

NR95

Naor89

AIK04

NC0

GGM84

• Our techniques give a PRG with sub-linear stretch

- E.g., stretches n bits to n+n0.5 bits

• Question: Are there PRGs in NC0 with large stretch ?

- E.g., linear stretch, G:{0,1}n {0,1}2n (LPRG)

• Motivation: parallel stream ciphers

• Related work:

- No Super-Linear PRG in NC03, NC0

4 [CM01, MST03]

- Heuristic Super-Linear PRG in NC05 [MST 03]

PRG with large stretch in NC0

• Question: Are there PRGs in NC0 with large stretch ?

• Thm. [AIK 06]: LPRG in NC0

- from Algebraic assumption of [Alekhnovich 03]

- (easily) implies Inapporximability of MAX 3SAT

(no PCP!)

- unlikely to be constructed via “compiler”

PRG with large stretch in NC0

Our Techniques

Main Tool: Randomized Encoding

x y

Enc(y)x

g

rEnc(y)

f

f(x) = f(w)

Randomized Encoding - Definition

• Correctness: f(x) can be efficiently decoded from g(x,r).

• Privacy: efficient simulator S s.t. S(f(x)) ≡ g(x,U)

– g(x,U) depends only on f(x)

f(x) ≠ f(w)

rw

g(w,U)

g(x,U)

r

x

≡

rw

g(w,U)

g(x,U)

r

x

Randomized Encoding – Cont.

• Explicitly introduced by Ishai and Kushilevitz [IK 00]

– Algebraic framework of randomizing polynomials

– Motivation: information-theoretic secure multiparty computation

– Weaker versions implicit in secure computation (e.g. [Kil 88, FKN94])

• g is a “randomized encoding” of f– Nontrivial relaxation of computing f

• Want relaxation to be– Secure: g inherits security properties of f– Liberal: even “complex” f admit encodings gNC0

Security of Randomized Encoding

• Thm. [AIK04]: preserves crypto hardness of most primitives– E.g., OWF, OWP, PRG, Sym-Enc, PK-Enc, Sign, MAC, Hash, Com, ZK

– Also works for information-theoretic primitives (-biased gens, extractors,…)

– Different primitives require different variants of randomized encoding

• Paradigm for crypto w/low complexity:

– Encode functions in complexity class HIGH by functions in LOW

– Show that a primitive P can be implemented in HIGH

– Conclude that P can be implemented in LOW

Part 2: Crypto in CN0

[AIK07]

Till now we considered only NC0 functions…

Cryptography with Constant Input Locality

NC0 = const. depth circuits with bounded fan-in

= each output bit depends on O(1) input bitsinput

output

input

output CN0

Input locality

Output locality

Q: Can cryptographic primitives be realized by functions in which each input bit affects a constant number of output bits?

Motivation I: Avalanche Property

input

output CN0

Input locality

Confusion/Diffusion, Avalanche [Shannon 49, Feistel 73]:

input-output dependencies of a block cipher should be “complex”

“The important fact is that all output digits have potentially become very involved functions of all input

digits” [Feistel 73]

Easily justified in block ciphers (or pseudorandom functions/permutations).

Is it also true for other primitives?

unbounded fan-out

Motivation II: Fast Crypto Hardware

input

output

NC0

Depth=O(1)

Circuits of const. depth, const. fan-in,

Functions of const. output locality & input locality

input

output

NC0 CN0

const. fan-out

Motivation III: Complexity Theory

k-Constraint Satisfaction Problem– X1 +X3 X5 =0– X2 X3 X4 =1...- X2 +X3 + X4 =1

• Goal: Find a satisfying assignment• Fact: Hard in many aspects:

– Cook-Levin Theorem [C71,L73]: NP-hard– [C71]: Still NP-hard– PCP Theorem [ALMSS,AS 92]: NP-hard to approximate– [PY88]:Still NP-hard to approximate– OWF in NC0 [AIK 04]: “Cryptographically-hard”

Still “Cryptographically-hard” ?– OWF in NC0 CN0 YES

• List of constraints over n variables x1,…,xn

• Each constraint involves k=O(1) variables

• Each variable appears in O(1) constraints

Bounded-occurrence

Still

• [Goldreich 00] Heuristic OWF in NC0 CN0

• [Mossel Shpilka Trevisan 03] Heuristic PRG in NC0 CN0

• [AIK 04] Primitives in NC0 from primitives in NC1 – Primitives in NC1 from standard assumptions (e.g., factoring, DLOG, lattices)

OWFs, PRGs, Encryption, Signatures, Hash… in NC0 from factoring

• [AIK 06] Linear PRG in NC0CN0 from Assumption of [Alekhnovich 03]

Previous Work

NC0

CN0

McEliece

OWF PRG

PRG

mostprims

Rand linear code

Alekhnovich’s assumption

Heuristic construction

Factoring

Crypto in CN0 under standard assumptions?

A characterization of crypto tasks computable in CN0

Main Result

Impossible in CN0

• Message Authentication Codes

• Signatures

• Non-Malleable Encryption

(symmetric, public-key)

Possible in CN0

• One-Way Functions

• Pseudorandom Generators

• Commitment Schemes

• Semantically-Secure Encryption

(symmetric , public-key )

* If hard to decode random binary linear code / learn parity w/noise

** If hard to break McEliece cryptosystem

*

*

*

* **

NC0

• [Goldreich 00] Heuristic OWF in NC0 CN0

• [Mossel Shpilka Trevisan 03] Heuristic PRG in NC0 CN0

• [AIK 04] Primitives in NC0 from primitives in NC1 – Primitives in NC1 from standard assumptions (e.g., factoring, DLOG, lattices)

OWFs, PRGs, Encryption, Signatures, Hash… in NC0 from factoring

• [AIK 06] Linear PRG in NC0CN0 from Assumption of [Alekhnovich 03]

NC0

CN0

McEliece

OWF PRG

PRG

mostprims

Rand linear code

Alekhnovich’s assumption

Heuristic construction

Factoring

Crypto in CN0 under standard assumptions?

OWF PRG Com

PKEnc

Previous Work

Positive Results Proof Outline:

• Use the randomized encoding paradigm

• New Construction:

encoding in CN0 for functions with “nice algebraic structure”

• Assumption: Hardness of decoding random linear code / McEliece

• Assumption crypto primitives with “nice algebraic structure”

Primitive with

nice algebraic

structure

Primitive in

CN0

Decoding

rand. linear

code/McEliece

Encoding in CN0 – Toy Examplef(x) = ( x1 + x2, x1 + x3, x1 + x4, x1 + x5 )

Goal: Reduce locality of x1without increasing locality of other vars

Attempt 1 (chain):

g(x) = (x1 + x2, -x2 + x3, -x3 + x4, -x4 + x5 )

•Deterministic encoding !•Problem: Increased the locality of other varsAttempt 2 (replace):

g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5

x1-r1, x1-r2, x1-r3, x1-r4 )

•Problem: Didn’t reduce the locality of x1

Solution: Combine 1+2 (replace and chain)

g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5

x1-r1, x1-r2, x1-r3, x1-r4 )

•Locality: x1 is 1, x2,x3,x4,x5 did not increase, ri’s is 3

x1-r1, r1-r2, r2-r3, r3-r4

r1

r1 r1

Encoding in CN0 – Toy Examplef(x) = ( x1 + x2, x1 + x3, x1 + x4, x1 + x5 )

Goal: Reduce locality of x1without increasing locality of other vars

Solution: Combine 1+2 (replace and chain)

g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5

•Locality: x1 is 1, x2,x3,x4,x5 did not increase, ri’s is 3

x1-r1, r1-r2, r2-r3, r3-r4

Encoding in CN0 – Toy Examplef(x) = ( x1 + x2, x1 + x3, x1 + x4, x1 + x5 )

Goal: Reduce locality of x1without increasing locality of other vars

Solution: Combine 1+2 (replace and chain)

g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5

x1-r1, r1-r2, r2-r3, r3-r4

x1+x4

•Correctness: To decode, add the corresponding entries.

•Privacy: g(x,r) distributed uniformly under correctness constraint.

By iterating the basic gadget for every variable

Corollary: every linear function can be encoded by function w/input locality 3

Encoding in CN0 – Generalization

rank(x1)= 2

• Suppose that f is given in some additive form.

• f(x)= (x1x2+x2x3x5, x1x2+x2x4x5, x1x2+x1x3x4, x1x2+x2x5)

• rank(xi)= # of distinct terms in which xi appears

• Thm. f can be encoded by g such that:

– input locality of xi is rank(xi)

– input locality of random inputs is at most 3.

– output locality is not increased.

• Proof: Generalize previous construction.

• Corollary: If for every i, rank(xi)= O(1) g is in CN0

• [AIK04] If also algebraic degree = O(1) g is in CN0 NC0

• Tightness: Some functions cannot be encoded with locality < rank(xi)

Some functions cannot be encoded in CN0 (even w/non-efficient encoding).

– Unlike NC0 : “every f has (non-efficient) encoding in NC0 “ [AIK04]

• Problem: Given M,y find x

• Params: m, . E.g., m=10n, = ¼.

• Assumption: Problem is computationally hard

• Well studied in Coding Theory/Learning Theory [Kearns98, BKW00, Lyu05, FGKP06]

• Assumption does not hold major breakthrough in Coding Theory

• Similar assumptions in [GKL93, BFKL93, Chab94, HB01, Reg05, JW05, KS06]

Decoding Random Linear Code

M

x

e

n

m

iid noise vector: each bit is 1 w/prob.

+

public random binary matrix

random binary info word

= y

• Problem has nice algebraic structure:

linear function + some low-degree noise

• Can be used to construct primitives with low rank and low degree

- e.g., OWF, PRG, Commitment

Decoding Random Linear Code

M

x

e

n

m +

= y

ei= r2i-1r2i

Conclusions

• Cryptography in constant parallel time is possible

• Randomized encodings (of various types) are useful for

this problem (and others…, e.g. MPC)

Future Directions:

• Better encodings ??

• Better implementations ??

• Better (weaker) assumptions ??

• More applications of randomized encoding ??

Thank You !