Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions inSecure Computation

Yuval Ishai

Technion & UCLA

Minicrypt

Cryptomania

OWF

KA

PRGSIGN ENCPRFCOMMITZK

PKE OT

TDP

• More general than you might think…– encryption, commitment, ZK, coin-flipping, signatures

can be captured as special cases.

• This talk: secure function evaluation– Two or more parties holding inputs xi

– Parties wish to compute f(x1,x2,…) without revealing inputs to each other

– Several variants• Honest majority vs. two-party / no honest majority• Computational vs. unconditional security • Semi-honest vs. malicious parties• Standalone vs. UC

Secure Computation

• No honest majority– OT computationally secure MPC [Yao86,GMW87]

• Ideal OT Unconditional, UC MPC [Kil88,IPS08]

– MPC for “nontrivial” f OT [CK89,KKMO94,BIM99,HNRR04]

• Honest majority, secure channels– Unconditional MPC [BGW88,CCD88,RB89]

Feasibility ResultsInputs: Alice (s0,s1) Bob c

Bob outputs sc

The Two-Party Case

Alice Bobx y

f(x,y)

PPTPPT

PPT SBob x,y, |x|=|y| SBob(y)cViewBob(x,y)

PPT SAlice x,y, |x|=|y| SAlice(x,f(x,y))cViewAlice(x,y)

The Two-Party Case

Alice Bobx y

f(x,y)

k

PPT SBob p xk,yk

SBob(1k,yk) cViewBob(1k,xk,yk)

PPT SAlice p xk,yk

SAlice(1k,xk,f(xk,yk))cViewAlice(1k,xk,yk)

• A lot of work on practical efficiency• This talk: asymptotic efficiency

– May also be relevant to practice– “Theory beats heuristics”

• Efficiency measures– Communication complexity– Computational complexity– Round complexity

• Question: given function f and security parameter k– How far can we push each efficiency measure?– Under what assumptions?

Efficiency of Secure Computation

Round Complexity

Alice Bobx y

f(x,y)

• 2-message OT necessary (for general f) • Is it also sufficient?

Cryptomania

Enc(y)

Randomized Encoding [Yao86,…,IK00,AIK04]

• g is a “randomized encoding” of f– Nontrivial relaxation of computing f

• Hope: – g can be “simpler” than f (meaning of “simpler” determined by application)– g can be used as a substitute for f

x yf

Enc(y)x gr

decodersimulator

Dec(g(x,r)) = f(x)

Sim(f(x)) g(x,r)

Notions of Simplicity

Decomposable encoding

g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

x r

2-Decomposable encoding

g((x,y),r)=(gx(x,r),gy(y,r))

y

NC0 encoding

Output locality c

Low-degree encoding

Algebraic degree d over F

x r

Decomposable Encodingg((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

• Application: Parallel reduction of secure 2-party computation to OT

g((x,y),r)=(g1(x1,r),…,gn(xn,r), gy(y,r))

Alice Bob

x y

rgy(y,r)

f(x,y)OT

OT

x1

g1(x1,r)g1(0,r)g1(1,r)

gn(0,r)gn(1,r)

xn

gn(xn,r)

More effort if Bob can be malicious

Notions of Simplicity

Decomposable encoding

g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

x r

2-Decomposable encoding

g((x,y),r)=(gx(x,r),gy(y,r))

y

NC0 encoding

Output locality c

Low-degree encoding

Algebraic degree d over F

x r

Notions of Simplicity

Decomposable encoding

g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

x r

2-Decomposable encoding

g((x,y),r)=(gx(x,r),gy(y,r))

y

NC0 encoding

Output locality c

Low-degree encoding

Algebraic degree d over F

x r

“A minimal model for secure computation” [FKN94]

Alice Bobx y

Carol

r

f(x,y)

gy(y,r)gx(x,r)

Notions of Simplicity

Decomposable encoding

g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

x r

2-Decomposable encoding

g((x,y),r)=(gx(x,r),gy(y,r))

y

NC0 encoding

Output locality c

Low-degree encoding

Algebraic degree d over F

x r

Randomizing polynomials [IK00,…]

round-efficient secure multi-party computation

Notions of Simplicity

Decomposable encoding

g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))

x r

2-Decomposable encoding

g((x,y),r)=(gx(x,r),gy(y,r))

y

NC0 encoding

Output locality c

Low-degree encoding

Algebraic degree d over F

x r

Cryptography in NC0 [AIK04,…]

OWF

Basic Facts

• If we don’t care about efficiency, every f has a perfect, decomposable encoding g with– degree 3 over F2 (generalizes to arbitrary rings)

– output locality 4

• Negative result: degree 3 is optimal over finite fields, assuming perfect privacy [IK00]

– Big fields can be tricky: g(x,r)= ( 2ixi + c)r2 mod p

• Open– degree 2 with statistical or computational privacy?

• 2-round MPC with t<n/2 semi-honest parties

– output locality 3? • Crypto with optimal output locality from general assumptions

Degree-3 Encoding for Branching Programs

• BP(x)=det(L(x)), where L is a degree-1 mapping which outputs matrices of a special form.

• Encoding:

1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1

* * * *-1 * * * 0 -1 * * 0 0 -1 *

1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1

g(x,r1,r2)= R1(r1)L(x)R2(r2)

Complexity of Randomized Encoding

• Computational privacy– OWFs exist

Decomposable encoding for a circuit C of length O(k|C|) • Yao’s garbled circuit technique [Yao86]• Yields 2-message secure protocols from 2-message OT

– “Easy PRG” (say, PRG in NC1) NC0 encoding of length |C|poly(k) [AIK05]

• Assumption implied by factoring, discrete log, lattice assumptions• Primitive X exists X exists in NC0 under Easy PRG assumption

• Perfect privacy – Efficient NC0 encodings for formulas, branching programs

[Kil88,FKN94,IK00,AIK04,…]

– Capture complexity classes NC1, NL/poly, L/poly

Open Complexity Questions• No nontrivial lower bounds…• Computational privacy

– OWF efficient NC0 encoding for circuits?• Crypto implies crypto in NC0!

– Decomposable encoding of size O(|C|)?– Arithmetic garbled circuit?

• Perfect / statistical privacy – Efficient encoding for circuits?

• Constant-round unconditionally secure MPC for P? [BMR90]• Relation with other questions?

– Great LDC poly-communication protocols for unbounded parties

– Better overhead for concrete representations

Back to Secure Computation• Recap: Two-message secure protocol for f(x,y)

– Assumes 2-message OT– O(k|C|) communication– poly(k)|C| computation

• Better assumption? No• Better rounds? No • Better computation?

– PRG G:{0,1}n{0,1}n^2 in NC0 constant overhead [IKOS08]

– Not implied by standard assumptions– Semi-explicit candidate in [MST03]

• Better communication?– Rest of talk

Life After the Bomb• Gentry ’09: fully homomorphic encryption scheme

– Encpk(x), C Enc’(C(x))

– Size of encrypted output independent of |C|,|x|!– Can hide C,x (even given sk)– Can make encrypted input size |x|+poly(k)– Corollaries

• Secure evaluation of f(x,y) with |input|+|output|·poly(k) bits• General protocol compiler with poly(k) communication overhead

– poly-time version of [NN01]

– Big poly(k) computational overhead

• What is left to be done?– Assumptions– Better communication complexity?

Communication Complexity

• Sometimes life is a long sequence of finite tasks…– Circuit size = O(|output|)– In this case, still need poly(k) bits per gate

• [IKOS08]: – O(1) communication (and computation) per gate– Under “exotic” crypto in NC0 assumption

• [IKOS09]:– O(1) communication, poly(k) computation per gate– Under -Hiding Assumption [CMS99,GR05]

• Allows generating (G,g) such that m | ord(g) but m is hidden

Assumptions

• Weaker results under weaker assumptions?– Beat circuit size bound for useful function classes?

• General problem: compute a “program” P on an encrypted input cEnc(x)

• Two sources of non-triviality– Encrypted output hides P– Encrypted output is shorter than |P|

• Good solutions for useful classes of P– Linear functions: “standard” homomorphic encryption– Truth tables: PIR [CGKS95,KO97,CMS99,…]– Degree-2 polynomials [BGN05]– Length-bounded branching programs [NN01,IP07]

• Observation– most natural candidates for average-case hard

problems imply one-way functions– most natural candidates for one-way functions

imply public-key encryption• typically shown in an ad-hoc way

– Are we just lucky?

• Thesis– Hardness + “structure” world upgrade– Concrete instantiation inspired by

[KO97,BIKM99,DMO00,IKO05,HN06]• Defined via communication complexity of secure computation

Relevance to Impagliazzo’s Worlds

• Most instances of f,X,Y are hard.

• What if Alice can send Bob cREnc(x) “for free”?

• Bob computationally bounded, Alice bounded or unbounded.• Efficiency of secure computation with security against Bob

– Generalizes PIR, homomorphic encryption

Communication Complexity

Alice Bobx X y Y

f(x,y)

How many bits should be communicated to compute f whp?

• Cryptomania x c x

• Minicrypt x c x

• Pessiland ? c x

• Algorithmica x c x

Types of Encryption

samplable

pk sk

sk sk

How to Get an Upgrade

• Need: poly-time computable f(x,y) and input distributions X,Y such that:– f has high communication complexity on XY

• Low communication error > 1/poly(n)

– f has lower communication complexity when cREnc(x) is created by Alice and given to Bob.

• Possibly with small error

• Then Enc can be upgraded

Weak homomorphic property

Candidate f,X,Y

• f(x,y)= xiyi mod 2

– X,Y uniform on {0,1}n

– Hard for interactive protocols with n-O(1) communication [Yao,Vaz,CG]

• f(x,y)= xiyi

– Y uniform on {0,1}n, X uniform of weight 1 – Hard for non-interactive BobAlice protocols

with n-1 bits of communication

Minicrypt Cryptomania+• Given:

– symmetric encryption (Gen,Enc,Dec)– weakly homomorphic for (f,X,Y) with bounded Alice

• Goal: Build public-key encryption (Gen’,Enc’,Dec’)

Alice Bob

x X y Y

f(x,y)

c=Encsk(x)

d=Bob(c,y) Alice(sk,d,x)

skGen

Multi-round protocol KA

Minicrypt Cryptomania+• Gen’

– sk Gen; x X; c Encsk(x)– pk = (c,x)

• Enc’pk(b)– yY– Output (Bob(c,y), bf(x,y))

• Dec’sk(d,e)– Recover f(x,y) from (d,sk) using Alice’s algorithm – Output ef(x,y)

• Security: using hybrid game with c Encsk(x’)– Predicting f(x,y) from (c,x,Bob(c,y)) is impossible unconditionally– Hybrid game computationally indistinguishable from real game

• Implies 2-message OT with statistical security for Sender

Example: Kids Encryption PKE

• Let p = public k-bit prime– sk R Zp

– Encsk(b)= (2r+b)sk mod p

• r R [0, p/(4k)]

– Decsk(c) = ((csk-1) mod p) mod 2

– Encsk(x)=Encsk(x1) … Encsk(xn)

• Weak homomorphism:– Let x,y {0,1}2k

– Given c=(c1,…,c2k)Encsk(x) and y, Bob(c,y)=yici allows Alice to decode xici

Example: LWE PKE

• Decisional LWE: (M,Mr+e) is pseudorandom– M,x random over Zq – e random with “small” entries

• Symmetric encryption:– sk = random r– Encsk(x)=(M,Mx+e+q/2x)

• Weak homomorphism– By adding rows, as long as ei << q

Pessiland Minicrypt+

• Given: – “Pessiland Encryption” Enc– Enc is weakly homomorphic for (f,X,Y) with unbounded Alice

– (f,X,Y) is nontrivial: for any distinct y,y’, PrxXf(x,y)=f(x,y’)<1-1/poly

• Goal: Build a collision-resistant hash function

• Construction– Key generation: c Enc

– Hashing: hc(y)=Bob(c,y)

– Collision resistance: • hc(y)=hc(y’) f(x,y)=f(x,y’) for x=“Dec”(c) nontrivial info on x

Failed Attempt: LPN CRHF

• Assumption: (M,Mr+e) is pseudorandom– M,r random over Z2, e random with low Hamming weight– Similar to LWE but over binary field– Follows from hardness of search problem

• Implies symmetric encryption • n1/2--noise LPN implies PKE [Ale03]

– Also 2-message OT

• Not known to imply CRHF• Explanation

– Homomorphism limited by dimension – In case of LWE, field size gives extra degree of freedom

Summary• Under standard assumptions

– Constant rounds– poly(k) communication and computation per gate

• Pushing communication to an extreme– Fully homomorphic encryption

• Secure communication ≤ poly(k) insecure communication• Same round complexity

-hiding assumption• O(1) communication per gate• O(depth) rounds

– Both expensive in computation

• Pushing computation to an extreme– poly-stretch PRG in NC0

• O(1) computation per gate• O(depth) rounds

Concluding Remarks

• Ambitious goals call for nonstandard assumptions.– especially when no heuristics are available

• Does “nonstandard” mean more risky?

– Factoring requires super-polynomial time vs.

– A “random” NC0 function is exponentially hard to invert