Efficiency vs. Assumptions in Secure Computation

1
Efficiency vs. Assumptions inSecure Computation

• Yuval Ishai
• Technion UCLA

2
Cryptomania
KA
Minicrypt
OWF
3


4
Secure Computation

• More general than you might think
• encryption, commitment, ZK, coin-flipping,
  signatures can be captured as special cases.
• This talk secure function evaluation
• Two or more parties holding inputs xi
• Parties wish to compute f(x1,x2,) without
  revealing inputs to each other
• Several variants
• Honest majority vs. two-party / no honest
  majority
• Computational vs. unconditional security
• Semi-honest vs. malicious parties
• Standalone vs. UC

5
Feasibility Results
Inputs Alice (s0,s1) Bob c Bob outputs sc

• No honest majority
• OT ? computationally secure MPC Yao86,GMW87
• Ideal OT ? Unconditional, UC MPC Kil88,IPS08
• MPC for nontrivial f ? OT CK89,KKMO94,BIM99,HN
  RR04
• Honest majority, secure channels
• Unconditional MPC BGW88,CCD88,RB89

6
The Two-Party Case
PPT
PPT
Bob
Alice
x
y
f(x,y)

• PPT SBob ?x,y, xy
• SBob(y)?cViewBob(x,y)

• PPT SAlice ?x,y, xy
• SAlice(x,f(x,y))?cViewAlice(x,y)

7
The Two-Party Case
k
Bob
Alice
x
y
f(x,y)

• PPT SBob ?p xk,yk
• SBob(1k,yk) ?cViewBob(1k,xk,yk)

• PPT SAlice ?p xk,yk
• SAlice(1k,xk,f(xk,yk))?cViewAlice(1k,xk,yk)

8
Efficiency of Secure Computation

• A lot of work on practical efficiency
• This talk asymptotic efficiency
• May also be relevant to practice
• Theory beats heuristics
• Efficiency measures
• Communication complexity
• Computational complexity
• Round complexity
• Question given function f and security parameter
  k
• How far can we push each efficiency measure?
• Under what assumptions?

9
Round Complexity
Bob
Alice
x
y
f(x,y)
? Cryptomania

• 2-message OT necessary (for general f)
• Is it also sufficient?

10
Randomized Encoding Yao86,,IK00,AIK04
Dec(g(x,r)) f(x)
f
x
y
Sim(f(x)) ? g(x,r)
Enc(y)
Enc(y)

• g is a randomized encoding of f
• Nontrivial relaxation of computing f
• Hope
• g can be simpler than f
• (meaning of simpler determined by
  application)
• g can be used as a substitute for f

11
Notions of Simplicity
2-Decomposable encoding g((x,y),r)(gx(x,r),gy(y,r
))
x
r
y

• Decomposable encoding
• g((x1,,xn),r)(g1(x1,r),,gn(xn,r))

NC0 encoding Output locality c
Low-degree encoding Algebraic degree d over F
12
Decomposable Encoding

• g((x1,,xn),r)(g1(x1,r),,gn(xn,r))

• Application Parallel reduction of secure
  2-party computation to OT

g((x,y),r)(g1(x1,r),,gn(xn,r), gy(y,r))
More effort if Bob can be malicious
13
Notions of Simplicity
2-Decomposable encoding g((x,y),r)(gx(x,r),gy(y,r
))
x
r
y

• Decomposable encoding
• g((x1,,xn),r)(g1(x1,r),,gn(xn,r))

NC0 encoding Output locality c
Low-degree encoding Algebraic degree d over F
14
Notions of Simplicity
2-Decomposable encoding g((x,y),r)(gx(x,r),gy(y,r
))
x
r
y

• Decomposable encoding
• g((x1,,xn),r)(g1(x1,r),,gn(xn,r))

A minimal model for secure computation FKN94
r
Bob
Alice
NC0 encoding Output locality c
x
y
gy(y,r)
gx(x,r)
f(x,y)
Low-degree encoding Algebraic degree d over F
Carol
15
Notions of Simplicity
2-Decomposable encoding g((x,y),r)(gx(x,r),gy(y,r
))
x
r
y

• Decomposable encoding
• g((x1,,xn),r)(g1(x1,r),,gn(xn,r))

Randomizing polynomials IK00, ?
round-efficient secure multi-party computation
NC0 encoding Output locality c
Low-degree encoding Algebraic degree d over F
16
Notions of Simplicity
2-Decomposable encoding g((x,y),r)(gx(x,r),gy(y,r
))
Cryptography in NC0 AIK04,
x
r
y

• Decomposable encoding
• g((x1,,xn),r)(g1(x1,r),,gn(xn,r))

OWF
NC0 encoding Output locality c
Low-degree encoding Algebraic degree d over F
17
Basic Facts

• If we dont care about efficiency, every f has a
  perfect, decomposable encoding g with
• degree 3 over F2 (generalizes to arbitrary
  rings)
• output locality 4
• Negative result degree 3 is optimal over finite
  fields, assuming perfect privacy IK00
• Big fields can be tricky g(x,r) (? 2ixi
  c)?r2 mod p
• Open
• degree 2 with statistical or computational
  privacy?
• 2-round MPC with tltn/2 semi-honest parties
• output locality 3?
• Crypto with optimal output locality from general
  assumptions

18
Degree-3 Encoding for Branching Programs

• BP(x)det(L(x)), where L is a degree-1 mapping
  which outputs matrices of a special form.
• Encoding

19
Complexity of Randomized Encoding

• Computational privacy
• OWFs exist ? Decomposable encoding for a circuit
  C of length O(k?C)
• Yaos garbled circuit technique Yao86
• Yields 2-message secure protocols from 2-message
  OT
• Easy PRG (say, PRG in NC1) ? NC0 encoding of
  length C?poly(k) AIK05
• Assumption implied by factoring, discrete log,
  lattice assumptions
• Primitive X exists ? X exists in NC0 under Easy
  PRG assumption
• Perfect privacy
• Efficient NC0 encodings for formulas, branching
  programsKil88,FKN94,IK00,AIK04,
• Capture complexity classes NC1, NL/poly, ?L/poly

20
Open Complexity Questions

• No nontrivial lower bounds
• Computational privacy
• OWF ? efficient NC0 encoding for circuits?
• Crypto implies crypto in NC0!
• Decomposable encoding of size O(C)?
• Arithmetic garbled circuit?
• Perfect / statistical privacy
• Efficient encoding for circuits?
• Constant-round unconditionally secure MPC for P?
  BMR90
• Relation with other questions?
• Great LDC ? poly-communication protocols for
  unbounded parties
• Better overhead for concrete representations

21
Back to Secure Computation

• Recap Two-message secure protocol for f(x,y)
• Assumes 2-message OT
• O(k?C) communication
• poly(k)?C computation
• Better assumption? No
• Better rounds? No
• Better computation?
• PRG G0,1n?0,1n2 in NC0 ? constant overhead
  IKOS08
• Not implied by standard assumptions
• Semi-explicit candidate in MST03
• Better communication?
• Rest of talk

22
Life After the Bomb

• Gentry 09 fully homomorphic encryption scheme
• Encpk(x), C ? Enc(C(x))
• Size of encrypted output independent of C,x!
• Can hide C,x (even given sk)
• Can make encrypted input size xpoly(k)
• Corollaries
• Secure evaluation of f(x,y) with
  inputoutputpoly(k) bits
• General protocol compiler with poly(k)
  communication overhead
• poly-time version of NN01
• Big poly(k) computational overhead
• What is left to be done?
• Assumptions
• Better communication complexity?

23
Communication Complexity

• Sometimes life is a long sequence of finite
  tasks
• Circuit size O(output)
• In this case, still need poly(k) bits per gate
• IKOS08
• O(1) communication (and computation) per gate
• Under exotic crypto in NC0 assumption
• IKOS09
• O(1) communication, poly(k) computation per gate
• Under ?-Hiding Assumption CMS99,GR05
• Allows generating (G,g) such that m ord(g) but
  m is hidden

24
Assumptions

• Weaker results under weaker assumptions?
• Beat circuit size bound for useful function
  classes?
• General problem compute a program P on an
  encrypted input c?Enc(x)
• Two sources of non-triviality
• Encrypted output hides P
• Encrypted output is shorter than P
• Good solutions for useful classes of P
• Linear functions standard homomorphic
  encryption
• Truth tables PIR CGKS95,KO97,CMS99,
• Degree-2 polynomials BGN05
• Length-bounded branching programs NN01,IP07

25
Relevance to Impagliazzos Worlds

• Observation
• most natural candidates for average-case hard
  problems imply one-way functions
• most natural candidates for one-way functions
  imply public-key encryption
• typically shown in an ad-hoc way
• Are we just lucky?
• Thesis
• Hardness structure ? world upgrade
• Concrete instantiation inspired by
  KO97,BIKM99,DMO00,IKO05,HN06
• Defined via communication complexity of secure
  computation

26
Communication Complexity
Bob
Alice
x ? X
y ?Y
f(x,y)

• Most instances of f,X,Y are hard.
• What if Alice can send Bob c?REnc(x) for free?
• Bob computationally bounded, Alice bounded or
  unbounded.
• Efficiency of secure computation with security
  against Bob
• Generalizes PIR, homomorphic encryption

How many bits should be communicated to compute f
whp?
27
Types of Encryption
pk
sk

• Cryptomania x ? c ? x
• Minicrypt x ? c ? x
• Pessiland ? ? c ? x
• Algorithmica x ? c ? x

sk
sk
? samplable
28
How to Get an Upgrade

• Need poly-time computable f(x,y) and input
  distributions X,Y such that
• f has high communication complexity on X?Y
• Low communication ? error gt 1/poly(n)
• f has lower communication complexity when
  c?REnc(x) is created by Alice and given to Bob.
• Possibly with small error
• Then Enc can be upgraded

Weak homomorphic property
29
Candidate f,X,Y

• f(x,y)? xiyi mod 2
• X,Y uniform on 0,1n
• Hard for interactive protocols with n-O(1)
  communication Yao,Vaz,CG
• f(x,y)? xiyi
• Y uniform on 0,1n, X uniform of weight 1
• Hard for non-interactive Bob?Alice protocols with
  n-1 bits of communication

30
Minicrypt ? Cryptomania

• Given
• symmetric encryption (Gen,Enc,Dec)
• weakly homomorphic for (f,X,Y) with bounded Alice
• Goal Build public-key encryption (Gen,Enc,Dec)

Multi-round protocol ? KA
31
Minicrypt ? Cryptomania

• Gen
• sk ? Gen x ? X c ? Encsk(x)
• pk (c,x)
• Encpk(b)
• y?Y
• Output (Bob(c,y), b?f(x,y))
• Decsk(d,e)
• Recover f(x,y) from (d,sk) using Alices
  algorithm
• Output e?f(x,y)
• Security using hybrid game with c ? Encsk(x)
• Predicting f(x,y) from (c,x,Bob(c,y)) is
  impossible unconditionally
• Hybrid game computationally indistinguishable
  from real game
• Implies 2-message OT with statistical security
  for Sender

32
Example Kids Encryption ? PKE

• Let p public k-bit prime
• sk ?R Zp
• Encsk(b) (2rb)?sk mod p
• r ?R 0, p/(4k)
• Decsk(c) ((c?sk-1) mod p) mod 2
• Encsk(x)Encsk(x1) Encsk(xn)
• Weak homomorphism
• Let x,y ? 0,12k
• Given c(c1,,c2k)?Encsk(x) and y,
  Bob(c,y)?yici allows Alice to decode ?xici

33
Example LWE ? PKE

• Decisional LWE (M,Mre) is pseudorandom
• M,x random over Zq
• e random with small entries
• Symmetric encryption
• sk random r
• Encsk(x)(M,Mxe?q/2??x)
• Weak homomorphism
• By adding rows, as long as ?ei ltlt q

34
Pessiland ? Minicrypt

• Given
• Pessiland Encryption Enc
• Enc is weakly homomorphic for (f,X,Y) with
  unbounded Alice
• (f,X,Y) is nontrivial for any distinct y,y,
  Prx?Xf(x,y)f(x,y)lt1-1/poly
• Goal Build a collision-resistant hash function
• Construction
• Key generation c ? Enc
• Hashing hc(y)Bob(c,y)
• Collision resistance
• hc(y)hc(y) ? f(x,y)f(x,y) for xDec(c) ?
  nontrivial info on x

35
Failed Attempt LPN ? CRHF

• Assumption (M,Mre) is pseudorandom
• M,r random over Z2, e random with low Hamming
  weight
• Similar to LWE but over binary field
• Follows from hardness of search problem
• Implies symmetric encryption
• n1/2-?-noise LPN implies PKE Ale03
• Also 2-message OT
• Not known to imply CRHF
• Explanation
• Homomorphism limited by dimension
• In case of LWE, field size gives extra degree of
  freedom

36
Summary

• Under standard assumptions
• Constant rounds
• poly(k) communication and computation per gate
• Pushing communication to an extreme
• Fully homomorphic encryption
• Secure communication poly(k)? insecure
  communication
• Same round complexity
• ?-hiding assumption
• O(1) communication per gate
• O(depth) rounds
• Both expensive in computation
• Pushing computation to an extreme
• poly-stretch PRG in NC0
• O(1) computation per gate
• O(depth) rounds

37
Concluding Remarks

• Ambitious goals call for nonstandard assumptions.
• especially when no heuristics are available
• Does nonstandard mean more risky?
• Factoring requires super-polynomial time
  vs.
• A random NC0 function is exponentially hard to
  invert