1 / 36

Cryptography in Constant Parallel Time

Cryptography in Constant Parallel Time. Benny Applebaum ( Technion  Princeton ). Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07). Talk Outline. Part 1: Crypto in NC 0 – Survey The basic question Main results

skip
Download Presentation

Cryptography in Constant Parallel Time

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography in Constant Parallel Time Benny Applebaum (Technion Princeton) Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07)

  2. Talk Outline • Part 1: Crypto in NC0 – Survey • The basic question • Main results • Main tool: randomized encoding of functions • Part 2: Crypto in CN0 [AIK 07] • The basic question • Main results • “Something” about the proof

  3. Part 1: Crypto in NC0 Encryption Signature ZK-Proofs

  4. Efficiency of Cryptographic Primitives • Q: What computational resources are needed for cryptography? • Can cryptographic primitives be computed by very simple functions? NC03 • Simple = each output bit depends on O(1) input bits • = const. depth circuits with bounded fan-in • = NC0 • Currentlythe smallest creature in the complexity zoo NC0

  5. Tempting conjecture: [CM]: Yes crypto hardness “complex” function [G]: No Cryptography in NC0? • Longstanding open question • Håstad 87 • Impagliazzo Naor 89 • Goldreich 00 • Cryan Miltersen 01 • Krause Lucks 01 • Mossel Shpilka Trevisan 03 • Real-life motivation: super-fast cryptographic hardware

  6. Basic Primitives:One-way Function (OWF) OWF find xf-1(y) Easy f x y Poly-time machine Hard

  7. Basic Primitives:Pseudorandom Generator (PRG) Pseudorandom or Random? stretch G Uin G(Uin) Rand Src. Uout Poly-time machine Def. PRG is minimal if stretch=1

  8. factoring, discrete-log, lattices, … subset sum impossible Previous Work • Positive results • PRG in NC1 from factoring, discrete-log, lattices… • PRF in NC1 from factoring[Naor Reingold 97] • PRG (sub-lin stretch) in AC0from subset sum[Impagliazzo Naor 89] • Permutation in NC0 which is P-complete to invert [Håstad 87] • Function in NC0 which is NP-complete to invert [Agrawal Allender Rudich98] • Heuristic construction of OWF/PRG in NC0 [Goldreich 00MST ] • Negative results • No OWF in NC02[Goldreich 00, Cryan Miltersen01] • NoPRGwith large stretch in NC03, NC04[CM01, MosselShpilkaTrevisan03] /PRG MST 03 NC1 NC1 AC0 AC0 NC0 open NC04 low stretch NC03 NC02 NC02 PRG / OWF

  9. OWF Our Approach Compile primitives in a “relatively high” complexity class into ones in NC0. Compiler locality 4 OWF

  10. Our Results

  11. Sufficient Assumptions for Crypto in NC0 • Caveats: • We get PRG with sub-linear stretch • decryption / verification not in NC0… • In fact, impossible to decrypt/verify in NC0 • … But: can commit in NC0 with decommit in NC0[AND] Assuming min-PRG in NC1 OWF PRG Hash Sym-Enc PK-Enc Signature Commit NIZK OWF PRG Hash Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK [AIK 04] [AIK 05]  NC0   NC1 exist factoring, discrete-log/DDH, lattices, …

  12. NC0 NC1 Parallel Reductions Between Primitives • What about NC reductions? • Much less is known…. • New [AIK05] Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, … • Thm. All are equivalent under poly-time reductions NR95 GGM84 NC1 Sym-Enc PRF Synthesizer NC0 AIK04 HILL90 NC0 NC0 “Regular” OWF Signature min-PRG lin-PRG OWF Naor89 NC0 NC0 Note: non-black-box reductions! Commit

  13. PRG with large stretch in NC0 • Our techniques give a PRG with sub-linear stretch • E.g., stretches n bits to n+n0.5 bits • Question: Are there PRGs in NC0 with large stretch ? • E.g., linear stretch, G:{0,1}n{0,1}2n (LPRG) • Motivation: parallel stream ciphers • Related work: • - No Super-LinearPRGin NC03, NC04 [CM01, MST03] • -HeuristicSuper-Linear PRG in NC05[MST 03]

  14. PRG with large stretch in NC0 • Question: Are there PRGs in NC0 with large stretch ? • Thm.[AIK 06]: LPRG in NC0 • from Algebraic assumption of [Alekhnovich 03] • (easily) impliesInapporximability of MAX 3SAT • (no PCP!) • unlikely to be constructed via “compiler”

  15. Our Techniques

  16. x r Main Tool:Randomized Encoding y x f Enc(y) Enc(y) g

  17. Randomized Encoding - Definition • Correctness: f(x) can be efficiently decoded from g(x,r). f(x)≠ f(w)  g(x,U) x r w g(w,U) r • Privacy:  efficient simulator S s.t. S(f(x))≡ g(x,U) • g(x,U) depends only on f(x) f(x)= f(w)  g(x,U) x r w g(w,U) ≡ r

  18. Randomized Encoding – Cont. • Explicitly introduced by Ishai and Kushilevitz [IK 00] • Algebraic framework of randomizing polynomials • Motivation: information-theoretic secure multiparty computation • Weaker versions implicit in secure computation (e.g. [Kil 88, FKN94]) • g is a “randomized encoding” of f • Nontrivial relaxation of computing f • Want relaxation to be • Secure: g inherits security properties of f • Liberal: even “complex” f admit encodings gNC0

  19. Security of Randomized Encoding • Thm. [AIK04]: preserves crypto hardness of most primitives • E.g., OWF, OWP, PRG, Sym-Enc, PK-Enc, Sign, MAC, Hash, Com, ZK • Also works for information-theoretic primitives (-biased gens, extractors,…) • Different primitives require different variants of randomized encoding • Paradigm for crypto w/low complexity: • Encode functions in complexity class HIGH by functions in LOW • Show that a primitive P can be implemented in HIGH • Conclude that P can be implemented in LOW

  20. Part 2:Crypto in CN0 [AIK07]

  21. output input Cryptography with Constant Input Locality Till now we considered only NC0functions… Output locality output • NC0 = const. depth circuits with bounded fan-in • = each output bit depends on O(1) input bits input Q:Can cryptographic primitives be realized by functions in which each input bit affects a constant number of output bits? CN0 Input locality

  22. output input Motivation I: Avalanche Property • Confusion/Diffusion, Avalanche[Shannon 49, Feistel 73]: • input-output dependencies of a block cipher should be “complex” • “The important fact is that all output digits have potentially become very involved functions of all input digits” [Feistel 73] Easily justified in block ciphers (or pseudorandom functions/permutations). Is it also true for other primitives? CN0 Input locality

  23. NC0  CN0 output input Motivation II: Fast Crypto Hardware Functions of const. output locality & input locality NC0 output input Circuits of const. depth, const. fan-in, const. fan-out unbounded fan-out Depth=O(1)

  24. Motivation III: Complexity Theory Bounded-occurrence • k-Constraint Satisfaction Problem • X1+X3 X5 =0 • X2X3 X4 =1 • . • . • . • X2+X3 +X4 =1 • Goal: Find a satisfying assignment • Fact: Hard in many aspects: • Cook-Levin Theorem [C71,L73]: NP-hard • [C71]: Still NP-hard • PCP Theorem [ALMSS,AS 92]: NP-hardto approximate • [PY88]:StillNP-hard to approximate • OWF in NC0 [AIK 04]: “Cryptographically-hard” • Still“Cryptographically-hard” ? • OWF in NC0 CN0 YES • List of constraints over n variables x1,…,xn • Each constraint involves k=O(1) variables • Each variable appears in O(1) constraints Still

  25. Previous Work • [Goldreich 00] HeuristicOWF in NC0CN0 • [Mossel Shpilka Trevisan 03] HeuristicPRG in NC0CN0 • [AIK 04] Primitivesin NC0from primitives in NC1 • PrimitivesinNC1 from standard assumptions (e.g., factoring, DLOG, lattices) •  OWFs, PRGs, Encryption, Signatures, Hash… in NC0 from factoring • [AIK 06]Linear PRGin NC0CN0 from Assumption of [Alekhnovich 03] Crypto in CN0 under standard assumptions? NC0 Factoring most prims Rand linear code McEliece PRG Alekhnovich’s assumption PRG OWF Heuristic construction CN0

  26. Main Result A characterization of crypto tasks computable in CN0 • Impossible in CN0 • Message Authentication Codes • Signatures • Non-Malleable Encryption • (symmetric, public-key) • Possible in CN0 • One-Way Functions • Pseudorandom Generators • Commitment Schemes • Semantically-Secure Encryption • (symmetric , public-key ) NC0 * * * ** * * If hard to decode random binary linear code / learn parity w/noise ** If hard to break McEliece cryptosystem

  27. Previous Work • [Goldreich 00] HeuristicOWF in NC0CN0 • [Mossel Shpilka Trevisan 03] HeuristicPRG in NC0CN0 • [AIK 04] Primitivesin NC0from primitives in NC1 • PrimitivesinNC1 from standard assumptions (e.g., factoring, DLOG, lattices) •  OWFs, PRGs, Encryption, Signatures, Hash… in NC0 from factoring • [AIK 06]Linear PRGin NC0CN0 from Assumption of [Alekhnovich 03] Crypto in CN0 under standard assumptions? NC0 Factoring most prims OWF Com PRG Rand linear code McEliece PK Enc PRG Alekhnovich’s assumption PRG OWF Heuristic construction CN0

  28. Positive Results • Proof Outline: • Use the randomized encoding paradigm • New Construction: • encoding in CN0for functions with “nice algebraic structure” • Assumption:Hardness of decoding random linear code / McEliece • Assumption  crypto primitives with “nice algebraic structure” Decoding rand. linear code/McEliece Primitive with nice algebraic structure Primitive in CN0

  29. Encoding in CN0 – Toy Example f(x) = (x1 + x2, x1 + x3, x1+ x4, x1+ x5 ) Goal: Reduce locality of x1 without increasing locality of other vars • Attempt 1 (chain): • g(x) = (x1 + x2, -x2 + x3, -x3 + x4, -x4 + x5 ) • Deterministic encoding ! • Problem: Increasedthelocality of other vars • Attempt 2 (replace): • g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5 • x1-r1, x1-r2, x1-r3, x1-r4) • Problem: Didn’t reduce the locality of x1 • Solution: Combine 1+2 (replace and chain) • g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5 • x1-r1, x1-r2, x1-r3, x1-r4) • Locality: x1 is 1, x2,x3,x4,x5did not increase, ri’s is 3 r1 r1 x1-r1, r1-r2, r2-r3, r3-r4 r1

  30. Solution: Combine 1+2 (replace and chain) • g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5 • Locality: x1 is 1, x2,x3,x4,x5did not increase, ri’s is 3 x1-r1, r1-r2, r2-r3, r3-r4 Encoding in CN0 – Toy Example f(x) = (x1 + x2, x1 + x3, x1+ x4, x1+ x5 ) Goal: Reduce locality of x1 without increasing locality of other vars

  31. Solution: Combine 1+2 (replace and chain) g(x,r) = (r1 + x2, r2 + x3, r3 + x4, r4 + x5 x1-r1, r1-r2, r2-r3, r3-r4 Encoding in CN0 – Toy Example x1+x4 f(x) = (x1 + x2, x1 + x3, x1+ x4, x1+ x5 ) Goal: Reduce locality of x1 without increasing locality of other vars • Correctness: To decode, add the corresponding entries. • Privacy: g(x,r) distributed uniformly under correctness constraint. By iterating the basic gadget for every variable  Corollary: every linear function can be encoded by function w/input locality 3

  32. Encoding in CN0 – Generalization • Suppose that f is given in some additive form. • f(x)= (x1x2+x2x3x5, x1x2+x2x4x5,x1x2+x1x3x4, x1x2+x2x5) • rank(xi)= # of distinct terms in which xi appears • Thm. f can be encoded by g such that: • input locality of xi is rank(xi) • input locality of random inputs is at most 3. • output locality is not increased. • Proof: Generalize previous construction. • Corollary: If for every i, rank(xi)= O(1)  g is in CN0 • [AIK04] If also algebraic degree = O(1)  g is in CN0  NC0 rank(x1)= 2 • Tightness: Some functions cannot be encoded with locality < rank(xi) •  Some functions cannot be encoded in CN0 (even w/non-efficient encoding). • Unlike NC0 : “every f has (non-efficient) encoding in NC0 “[AIK04]

  33. Decoding Random Linear Code random binary info word n public random binary matrix M x e y m = +  • Problem: Given M,y find x • Params: m, . E.g., m=10n,  = ¼. • Assumption: Problem is computationally hard • Well studied in Coding Theory/Learning Theory [Kearns98, BKW00, Lyu05, FGKP06] • Assumption does not hold major breakthrough in Coding Theory • Similar assumptions in [GKL93, BFKL93, Chab94, HB01, Reg05, JW05, KS06] iid noise vector: each bit is 1 w/prob. 

  34. Decoding Random Linear Code ei= r2i-1r2i n M x e y m = +  • Problem has nice algebraic structure: • linear function + some low-degree noise • Can be used to construct primitives with low rank and low degree • - e.g., OWF, PRG, Commitment

  35. Conclusions • Cryptography in constant parallel time is possible • Randomized encodings (of various types) are useful for • this problem (and others…, e.g. MPC) • Future Directions: • Better encodings ?? • Better implementations ?? • Better (weaker) assumptions ?? • More applications of randomized encoding ??

  36. Thank You !

More Related