Cryptography in Constant Parallel Time
Talk based on joint works with Yuval Ishai and Eyal Kushilevitz
(FOCS 04, CCC 05, RANDOM 06, CRYPTO 07)
Benny Applebaum (Technion Princeton)
• Part 1: Crypto in NC0 – Survey
-The basic question
- Main results
- Main tool: randomized encoding of functions
• Part 2: Crypto in CN0 [AIK 07]
-The basic question
- Main results
- “Something” about the proof
Talk Outline
Part 1: Crypto in NC0
ZK-Proofs
Signature
Encryption
• Q: What computational resources are needed for cryptography?
• Can cryptographic primitives be computed by very simple functions?
Efficiency of Cryptographic Primitives
• Currently the smallest creature in the complexity zoo
Simple = each output bit depends on O(1) input bits
= const. depth circuits with bounded fan-in
= NC0
NC03
NC0
Cryptography in NC0?
• Tempting conjecture:
crypto hardness “complex” function
• Longstanding open question
Håstad 87
Impagliazzo Naor 89
Goldreich 00
Cryan Miltersen 01
Krause Lucks 01
Mossel Shpilka Trevisan 03
• Real-life motivation: super-fast cryptographic hardware
[CM]: Yes
[G]: No
Basic Primitives:One-way Function (OWF)
f
OWF
Poly-time machine
find xf -1(y)Easy
Hard
x y
Basic Primitives:Pseudorandom Generator (PRG)
RandSrc.
G(Uin)
UoutPoly-time machine
Uin
Pseudorandom or Random?
stretch
G
Def. PRG is minimal if stretch=1
• Positive results– PRG in NC1 from factoring, discrete-log, lattices… – PRF in NC1 from factoring [Naor Reingold 97]
– PRG (sub-lin stretch) in AC0 from subset sum [Impagliazzo Naor 89]
• Permutation in NC0 which is P-complete to invert [Håstad 87]• Function in NC0 which is NP-complete to invert [Agrawal Allender Rudich98]
• Heuristic construction of OWF/PRG in NC0 [Goldreich 00 MST ]
• Negative results– No OWF in NC0
2 [Goldreich 00, Cryan Miltersen 01]
– No PRG with large stretch in NC03, NC0
4 [CM01, MosselShpilkaTrevisan03]
Previous Work
factoring, discrete-log, lattices, …
subset sum
impossible
NC02
NC03
NC04
NC0
AC0
NC1
PRG / OWF
NC02
NC1
AC0
openlow stretch
/PRG MST 03
Our Approach
Compile primitives in a “relatively high” complexity class into ones in NC0.
OWF
locality 4
Compiler
Our Results
Caveats: • We get PRG with sub-linear stretch• decryption / verification not in NC0…
– In fact, impossible to decrypt/verify in NC0 – … But: can commit in NC0 with decommit in NC0[AND] exist
Sufficient Assumptions for Crypto in NC0
OWFPRGHash
Sym-EncPK-EncSignatureCommitNIZK
Sym-EncPK-EncSignatureCommitNIZK
Sym-EncPK-EncSignatureCommitNIZK
NC1 NC0
Assuming min-PRG in NC1 OWFPRGHash
Sym-EncPK-EncSignatureCommitNIZK
factoring, discrete-log/DDH, lattices, …
P factoring
NC1
NC04
OWFPRGHashSym-Enc
PK-EncNI-Com
SignNIZK
factoring
factoring
[AIK 04][AIK 05]
Note: non-black-box reductions!
Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, …
• What about NC reductions?• Much less is known….
• New [AIK05]
• Thm. All are equivalent under poly-time reductions
Parallel Reductions Between Primitives
OWF min-PRG lin-PRG
Commit
Sym-Enc
Signature
Synthesizer
NC1
NC0
“Regular” OWF
NC1
NC0
NC0
NC0
PRFNC0
HILL90
NR95
Naor89
AIK04
NC0
GGM84
• Our techniques give a PRG with sub-linear stretch
- E.g., stretches n bits to n+n0.5 bits
• Question: Are there PRGs in NC0 with large stretch ?
- E.g., linear stretch, G:{0,1}n {0,1}2n (LPRG)
• Motivation: parallel stream ciphers
• Related work:
- No Super-Linear PRG in NC03, NC0
4 [CM01, MST03]
- Heuristic Super-Linear PRG in NC05 [MST 03]
PRG with large stretch in NC0
• Question: Are there PRGs in NC0 with large stretch ?
• Thm. [AIK 06]: LPRG in NC0
- from Algebraic assumption of [Alekhnovich 03]
- (easily) implies Inapporximability of MAX 3SAT
(no PCP!)
- unlikely to be constructed via “compiler”
PRG with large stretch in NC0
Our Techniques
Main Tool: Randomized Encoding
x y
Enc(y)x
g
rEnc(y)
f
f(x) = f(w)
Randomized Encoding - Definition
• Correctness: f(x) can be efficiently decoded from g(x,r).
• Privacy: efficient simulator S s.t. S(f(x)) ≡ g(x,U)
– g(x,U) depends only on f(x)
f(x) ≠ f(w)
rw
g(w,U)
g(x,U)
r
x
≡
rw
g(w,U)
g(x,U)
r
x
Randomized Encoding – Cont.
• Explicitly introduced by Ishai and Kushilevitz [IK 00]
– Algebraic framework of randomizing polynomials
– Motivation: information-theoretic secure multiparty computation
– Weaker versions implicit in secure computation (e.g. [Kil 88, FKN94])
• g is a “randomized encoding” of f– Nontrivial relaxation of computing f
• Want relaxation to be– Secure: g inherits security properties of f– Liberal: even “complex” f admit encodings gNC0
Security of Randomized Encoding
• Thm. [AIK04]: preserves crypto hardness of most primitives– E.g., OWF, OWP, PRG, Sym-Enc, PK-Enc, Sign, MAC, Hash, Com, ZK
– Also works for information-theoretic primitives (-biased gens, extractors,…)
– Different primitives require different variants of randomized encoding
• Paradigm for crypto w/low complexity:
– Encode functions in complexity class HIGH by functions in LOW
– Show that a primitive P can be implemented in HIGH
– Conclude that P can be implemented in LOW
Part 2: Crypto in CN0
[AIK07]
Till now we considered only NC0 functions…
Cryptography with Constant Input Locality
NC0 = const. depth circuits with bounded fan-in
= each output bit depends on O(1) input bitsinput
output
input
output CN0
Input locality
Output locality
Q: Can cryptographic primitives be realized by functions in which each input bit affects a constant number of output bits?
Motivation I: Avalanche Property
input
output CN0
Input locality
Confusion/Diffusion, Avalanche [Shannon 49, Feistel 73]:
input-output dependencies of a block cipher should be “complex”
“The important fact is that all output digits have potentially become very involved functions of all input
digits” [Feistel 73]
Easily justified in block ciphers (or pseudorandom functions/permutations).
Is it also true for other primitives?
unbounded fan-out
Motivation II: Fast Crypto Hardware
input
output
NC0
Depth=O(1)
Circuits of const. depth, const. fan-in,
Functions of const. output locality & input locality
input
output
NC0 CN0
const. fan-out
Motivation III: Complexity Theory
k-Constraint Satisfaction Problem– X1 +X3 X5 =0– X2 X3 X4 =1...- X2 +X3 + X4 =1
• Goal: Find a satisfying assignment• Fact: Hard in many aspects:
– Cook-Levin Theorem [C71,L73]: NP-hard– [C71]: Still NP-hard– PCP Theorem [ALMSS,AS 92]: NP-hard to approximate– [PY88]:Still NP-hard to approximate– OWF in NC0 [AIK 04]: “Cryptographically-hard”
Still “Cryptographically-hard” ?– OWF in NC0 CN0 YES
• List of constraints over n variables x1,…,xn
• Each constraint involves k=O(1) variables
• Each variable appears in O(1) constraints
Bounded-occurrence
Still
• [Goldreich 00] Heuristic OWF in NC0 CN0
• [Mossel Shpilka Trevisan 03] Heuristic PRG in NC0 CN0
• [AIK 04] Primitives in NC0 from primitives in NC1 – Primitives in NC1 from standard assumptions (e.g., factoring, DLOG, lattices)
OWFs, PRGs, Encryption, Signatures, Hash… in NC0 from factoring
• [AIK 06] Linear PRG in NC0CN0 from Assumption of [Alekhnovich 03]
Previous Work
NC0
CN0
McEliece
OWF PRG
PRG
mostprims
Rand linear code
Alekhnovich’s assumption
Heuristic construction
Factoring
Crypto in CN0 under standard assumptions?
A characterization of crypto tasks computable in CN0
Main Result
Impossible in CN0
• Message Authentication Codes
• Signatures
• Non-Malleable Encryption
(symmetric, public-key)
Possible in CN0
• One-Way Functions
• Pseudorandom Generators
• Commitment Schemes
• Semantically-Secure Encryption
(symmetric , public-key )
* If hard to decode random binary linear code / learn parity w/noise
** If hard to break McEliece cryptosystem
*
*
*
* **
NC0
• [Goldreich 00] Heuristic OWF in NC0 CN0
• [Mossel Shpilka Trevisan 03] Heuristic PRG in NC0 CN0
• [AIK 04] Primitives in NC0 from primitives in NC1 – Primitives in NC1 from standard assumptions (e.g., factoring, DLOG, lattices)
OWFs, PRGs, Encryption, Signatures, Hash… in NC0 from factoring
• [AIK 06] Linear PRG in NC0CN0 from Assumption of [Alekhnovich 03]
NC0
CN0
McEliece
OWF PRG
PRG
mostprims
Rand linear code
Alekhnovich’s assumption
Heuristic construction
Factoring
Crypto in CN0 under standard assumptions?
OWF PRG Com
PKEnc
Previous Work
Positive Results Proof Outline:
• Use the randomized encoding paradigm
• New Construction:
encoding in CN0 for functions with “nice algebraic structure”
• Assumption: Hardness of decoding random linear code / McEliece
• Assumption crypto primitives with “nice algebraic structure”
Primitive with
nice algebraic
structure
Primitive in
CN0
Decoding
rand. linear
code/McEliece
Encoding in CN0 – Toy Examplef(x) = ( x1 + x2, x1 + x3, x1 + x4, x1 + x5 )
Goal: Reduce locality of x1without increasing locality of other vars
Attempt 1 (chain):
g(x) = (x1 + x2, -x2 + x3, -x3 + x4, -x4 + x5 )
•Deterministic encoding !•Problem: Increased the locality of other varsAttempt 2 (replace):
g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5
x1-r1, x1-r2, x1-r3, x1-r4 )
•Problem: Didn’t reduce the locality of x1
Solution: Combine 1+2 (replace and chain)
g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5
x1-r1, x1-r2, x1-r3, x1-r4 )
•Locality: x1 is 1, x2,x3,x4,x5 did not increase, ri’s is 3
x1-r1, r1-r2, r2-r3, r3-r4
r1
r1 r1
Encoding in CN0 – Toy Examplef(x) = ( x1 + x2, x1 + x3, x1 + x4, x1 + x5 )
Goal: Reduce locality of x1without increasing locality of other vars
Solution: Combine 1+2 (replace and chain)
g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5
•Locality: x1 is 1, x2,x3,x4,x5 did not increase, ri’s is 3
x1-r1, r1-r2, r2-r3, r3-r4
Encoding in CN0 – Toy Examplef(x) = ( x1 + x2, x1 + x3, x1 + x4, x1 + x5 )
Goal: Reduce locality of x1without increasing locality of other vars
Solution: Combine 1+2 (replace and chain)
g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5
x1-r1, r1-r2, r2-r3, r3-r4
x1+x4
•Correctness: To decode, add the corresponding entries.
•Privacy: g(x,r) distributed uniformly under correctness constraint.
By iterating the basic gadget for every variable
Corollary: every linear function can be encoded by function w/input locality 3
Encoding in CN0 – Generalization
rank(x1)= 2
• Suppose that f is given in some additive form.
• f(x)= (x1x2+x2x3x5, x1x2+x2x4x5, x1x2+x1x3x4, x1x2+x2x5)
• rank(xi)= # of distinct terms in which xi appears
• Thm. f can be encoded by g such that:
– input locality of xi is rank(xi)
– input locality of random inputs is at most 3.
– output locality is not increased.
• Proof: Generalize previous construction.
• Corollary: If for every i, rank(xi)= O(1) g is in CN0
• [AIK04] If also algebraic degree = O(1) g is in CN0 NC0
• Tightness: Some functions cannot be encoded with locality < rank(xi)
Some functions cannot be encoded in CN0 (even w/non-efficient encoding).
– Unlike NC0 : “every f has (non-efficient) encoding in NC0 “ [AIK04]
• Problem: Given M,y find x
• Params: m, . E.g., m=10n, = ¼.
• Assumption: Problem is computationally hard
• Well studied in Coding Theory/Learning Theory [Kearns98, BKW00, Lyu05, FGKP06]
• Assumption does not hold major breakthrough in Coding Theory
• Similar assumptions in [GKL93, BFKL93, Chab94, HB01, Reg05, JW05, KS06]
Decoding Random Linear Code
M
x
e
n
m
iid noise vector: each bit is 1 w/prob.
+
public random binary matrix
random binary info word
= y
• Problem has nice algebraic structure:
linear function + some low-degree noise
• Can be used to construct primitives with low rank and low degree
- e.g., OWF, PRG, Commitment
Decoding Random Linear Code
M
x
e
n
m +
= y
ei= r2i-1r2i
Conclusions
• Cryptography in constant parallel time is possible
• Randomized encodings (of various types) are useful for
this problem (and others…, e.g. MPC)
Future Directions:
• Better encodings ??
• Better implementations ??
• Better (weaker) assumptions ??
• More applications of randomized encoding ??
Thank You !
Top Related