efficiency vs. assumptions in secure computation yuval ishai technion & ucla
TRANSCRIPT
Efficiency vs. Assumptions inSecure Computation
Yuval Ishai
Technion & UCLA
Minicrypt
Cryptomania
OWF
KA
PRGSIGN ENCPRFCOMMITZK
PKE OT
TDP
• More general than you might think…– encryption, commitment, ZK, coin-flipping, signatures
can be captured as special cases.
• This talk: secure function evaluation– Two or more parties holding inputs xi
– Parties wish to compute f(x1,x2,…) without revealing inputs to each other
– Several variants• Honest majority vs. two-party / no honest majority• Computational vs. unconditional security • Semi-honest vs. malicious parties• Standalone vs. UC
Secure Computation
• No honest majority– OT computationally secure MPC [Yao86,GMW87]
• Ideal OT Unconditional, UC MPC [Kil88,IPS08]
– MPC for “nontrivial” f OT [CK89,KKMO94,BIM99,HNRR04]
• Honest majority, secure channels– Unconditional MPC [BGW88,CCD88,RB89]
Feasibility ResultsInputs: Alice (s0,s1) Bob c
Bob outputs sc
The Two-Party Case
Alice Bobx y
f(x,y)
PPTPPT
PPT SBob x,y, |x|=|y| SBob(y)cViewBob(x,y)
PPT SAlice x,y, |x|=|y| SAlice(x,f(x,y))cViewAlice(x,y)
The Two-Party Case
Alice Bobx y
f(x,y)
k
PPT SBob p xk,yk
SBob(1k,yk) cViewBob(1k,xk,yk)
PPT SAlice p xk,yk
SAlice(1k,xk,f(xk,yk))cViewAlice(1k,xk,yk)
• A lot of work on practical efficiency• This talk: asymptotic efficiency
– May also be relevant to practice– “Theory beats heuristics”
• Efficiency measures– Communication complexity– Computational complexity– Round complexity
• Question: given function f and security parameter k– How far can we push each efficiency measure?– Under what assumptions?
Efficiency of Secure Computation
Round Complexity
Alice Bobx y
f(x,y)
• 2-message OT necessary (for general f) • Is it also sufficient?
Cryptomania
Enc(y)
Randomized Encoding [Yao86,…,IK00,AIK04]
• g is a “randomized encoding” of f– Nontrivial relaxation of computing f
• Hope: – g can be “simpler” than f (meaning of “simpler” determined by application)– g can be used as a substitute for f
x yf
Enc(y)x gr
decodersimulator
Dec(g(x,r)) = f(x)
Sim(f(x)) g(x,r)
Notions of Simplicity
Decomposable encoding
g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
x r
2-Decomposable encoding
g((x,y),r)=(gx(x,r),gy(y,r))
y
NC0 encoding
Output locality c
Low-degree encoding
Algebraic degree d over F
x r
Decomposable Encodingg((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
• Application: Parallel reduction of secure 2-party computation to OT
g((x,y),r)=(g1(x1,r),…,gn(xn,r), gy(y,r))
Alice Bob
x y
rgy(y,r)
f(x,y)OT
OT
x1
g1(x1,r)g1(0,r)g1(1,r)
gn(0,r)gn(1,r)
xn
gn(xn,r)
More effort if Bob can be malicious
Notions of Simplicity
Decomposable encoding
g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
x r
2-Decomposable encoding
g((x,y),r)=(gx(x,r),gy(y,r))
y
NC0 encoding
Output locality c
Low-degree encoding
Algebraic degree d over F
x r
Notions of Simplicity
Decomposable encoding
g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
x r
2-Decomposable encoding
g((x,y),r)=(gx(x,r),gy(y,r))
y
NC0 encoding
Output locality c
Low-degree encoding
Algebraic degree d over F
x r
“A minimal model for secure computation” [FKN94]
Alice Bobx y
Carol
r
f(x,y)
gy(y,r)gx(x,r)
Notions of Simplicity
Decomposable encoding
g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
x r
2-Decomposable encoding
g((x,y),r)=(gx(x,r),gy(y,r))
y
NC0 encoding
Output locality c
Low-degree encoding
Algebraic degree d over F
x r
Randomizing polynomials [IK00,…]
round-efficient secure multi-party computation
Notions of Simplicity
Decomposable encoding
g((x1,…,xn),r)=(g1(x1,r),…,gn(xn,r))
x r
2-Decomposable encoding
g((x,y),r)=(gx(x,r),gy(y,r))
y
NC0 encoding
Output locality c
Low-degree encoding
Algebraic degree d over F
x r
Cryptography in NC0 [AIK04,…]
OWF
Basic Facts
• If we don’t care about efficiency, every f has a perfect, decomposable encoding g with– degree 3 over F2 (generalizes to arbitrary rings)
– output locality 4
• Negative result: degree 3 is optimal over finite fields, assuming perfect privacy [IK00]
– Big fields can be tricky: g(x,r)= ( 2ixi + c)r2 mod p
• Open– degree 2 with statistical or computational privacy?
• 2-round MPC with t<n/2 semi-honest parties
– output locality 3? • Crypto with optimal output locality from general assumptions
Degree-3 Encoding for Branching Programs
• BP(x)=det(L(x)), where L is a degree-1 mapping which outputs matrices of a special form.
• Encoding:
1 $ $ $ 0 1 $ $ 0 0 1 $ 0 0 0 1
* * * *-1 * * * 0 -1 * * 0 0 -1 *
1 0 0 $ 0 1 0 $ 0 0 1 $ 0 0 0 1
g(x,r1,r2)= R1(r1)L(x)R2(r2)
Complexity of Randomized Encoding
• Computational privacy– OWFs exist
Decomposable encoding for a circuit C of length O(k|C|) • Yao’s garbled circuit technique [Yao86]• Yields 2-message secure protocols from 2-message OT
– “Easy PRG” (say, PRG in NC1) NC0 encoding of length |C|poly(k) [AIK05]
• Assumption implied by factoring, discrete log, lattice assumptions• Primitive X exists X exists in NC0 under Easy PRG assumption
• Perfect privacy – Efficient NC0 encodings for formulas, branching programs
[Kil88,FKN94,IK00,AIK04,…]
– Capture complexity classes NC1, NL/poly, L/poly
Open Complexity Questions• No nontrivial lower bounds…• Computational privacy
– OWF efficient NC0 encoding for circuits?• Crypto implies crypto in NC0!
– Decomposable encoding of size O(|C|)?– Arithmetic garbled circuit?
• Perfect / statistical privacy – Efficient encoding for circuits?
• Constant-round unconditionally secure MPC for P? [BMR90]• Relation with other questions?
– Great LDC poly-communication protocols for unbounded parties
– Better overhead for concrete representations
Back to Secure Computation• Recap: Two-message secure protocol for f(x,y)
– Assumes 2-message OT– O(k|C|) communication– poly(k)|C| computation
• Better assumption? No• Better rounds? No • Better computation?
– PRG G:{0,1}n{0,1}n^2 in NC0 constant overhead [IKOS08]
– Not implied by standard assumptions– Semi-explicit candidate in [MST03]
• Better communication?– Rest of talk
Life After the Bomb• Gentry ’09: fully homomorphic encryption scheme
– Encpk(x), C Enc’(C(x))
– Size of encrypted output independent of |C|,|x|!– Can hide C,x (even given sk)– Can make encrypted input size |x|+poly(k)– Corollaries
• Secure evaluation of f(x,y) with |input|+|output|·poly(k) bits• General protocol compiler with poly(k) communication overhead
– poly-time version of [NN01]
– Big poly(k) computational overhead
• What is left to be done?– Assumptions– Better communication complexity?
Communication Complexity
• Sometimes life is a long sequence of finite tasks…– Circuit size = O(|output|)– In this case, still need poly(k) bits per gate
• [IKOS08]: – O(1) communication (and computation) per gate– Under “exotic” crypto in NC0 assumption
• [IKOS09]:– O(1) communication, poly(k) computation per gate– Under -Hiding Assumption [CMS99,GR05]
• Allows generating (G,g) such that m | ord(g) but m is hidden
Assumptions
• Weaker results under weaker assumptions?– Beat circuit size bound for useful function classes?
• General problem: compute a “program” P on an encrypted input cEnc(x)
• Two sources of non-triviality– Encrypted output hides P– Encrypted output is shorter than |P|
• Good solutions for useful classes of P– Linear functions: “standard” homomorphic encryption– Truth tables: PIR [CGKS95,KO97,CMS99,…]– Degree-2 polynomials [BGN05]– Length-bounded branching programs [NN01,IP07]
• Observation– most natural candidates for average-case hard
problems imply one-way functions– most natural candidates for one-way functions
imply public-key encryption• typically shown in an ad-hoc way
– Are we just lucky?
• Thesis– Hardness + “structure” world upgrade– Concrete instantiation inspired by
[KO97,BIKM99,DMO00,IKO05,HN06]• Defined via communication complexity of secure computation
Relevance to Impagliazzo’s Worlds
• Most instances of f,X,Y are hard.
• What if Alice can send Bob cREnc(x) “for free”?
• Bob computationally bounded, Alice bounded or unbounded.• Efficiency of secure computation with security against Bob
– Generalizes PIR, homomorphic encryption
Communication Complexity
Alice Bobx X y Y
f(x,y)
How many bits should be communicated to compute f whp?
• Cryptomania x c x
• Minicrypt x c x
• Pessiland ? c x
• Algorithmica x c x
Types of Encryption
samplable
pk sk
sk sk
How to Get an Upgrade
• Need: poly-time computable f(x,y) and input distributions X,Y such that:– f has high communication complexity on XY
• Low communication error > 1/poly(n)
– f has lower communication complexity when cREnc(x) is created by Alice and given to Bob.
• Possibly with small error
• Then Enc can be upgraded
Weak homomorphic property
Candidate f,X,Y
• f(x,y)= xiyi mod 2
– X,Y uniform on {0,1}n
– Hard for interactive protocols with n-O(1) communication [Yao,Vaz,CG]
• f(x,y)= xiyi
– Y uniform on {0,1}n, X uniform of weight 1 – Hard for non-interactive BobAlice protocols
with n-1 bits of communication
Minicrypt Cryptomania+• Given:
– symmetric encryption (Gen,Enc,Dec)– weakly homomorphic for (f,X,Y) with bounded Alice
• Goal: Build public-key encryption (Gen’,Enc’,Dec’)
Alice Bob
x X y Y
f(x,y)
c=Encsk(x)
d=Bob(c,y) Alice(sk,d,x)
skGen
Multi-round protocol KA
Minicrypt Cryptomania+• Gen’
– sk Gen; x X; c Encsk(x)– pk = (c,x)
• Enc’pk(b)– yY– Output (Bob(c,y), bf(x,y))
• Dec’sk(d,e)– Recover f(x,y) from (d,sk) using Alice’s algorithm – Output ef(x,y)
• Security: using hybrid game with c Encsk(x’)– Predicting f(x,y) from (c,x,Bob(c,y)) is impossible unconditionally– Hybrid game computationally indistinguishable from real game
• Implies 2-message OT with statistical security for Sender
Example: Kids Encryption PKE
• Let p = public k-bit prime– sk R Zp
– Encsk(b)= (2r+b)sk mod p
• r R [0, p/(4k)]
– Decsk(c) = ((csk-1) mod p) mod 2
– Encsk(x)=Encsk(x1) … Encsk(xn)
• Weak homomorphism:– Let x,y {0,1}2k
– Given c=(c1,…,c2k)Encsk(x) and y, Bob(c,y)=yici allows Alice to decode xici
Example: LWE PKE
• Decisional LWE: (M,Mr+e) is pseudorandom– M,x random over Zq – e random with “small” entries
• Symmetric encryption:– sk = random r– Encsk(x)=(M,Mx+e+q/2x)
• Weak homomorphism– By adding rows, as long as ei << q
Pessiland Minicrypt+
• Given: – “Pessiland Encryption” Enc– Enc is weakly homomorphic for (f,X,Y) with unbounded Alice
– (f,X,Y) is nontrivial: for any distinct y,y’, PrxXf(x,y)=f(x,y’)<1-1/poly
• Goal: Build a collision-resistant hash function
• Construction– Key generation: c Enc
– Hashing: hc(y)=Bob(c,y)
– Collision resistance: • hc(y)=hc(y’) f(x,y)=f(x,y’) for x=“Dec”(c) nontrivial info on x
Failed Attempt: LPN CRHF
• Assumption: (M,Mr+e) is pseudorandom– M,r random over Z2, e random with low Hamming weight– Similar to LWE but over binary field– Follows from hardness of search problem
• Implies symmetric encryption • n1/2--noise LPN implies PKE [Ale03]
– Also 2-message OT
• Not known to imply CRHF• Explanation
– Homomorphism limited by dimension – In case of LWE, field size gives extra degree of freedom
Summary• Under standard assumptions
– Constant rounds– poly(k) communication and computation per gate
• Pushing communication to an extreme– Fully homomorphic encryption
• Secure communication ≤ poly(k) insecure communication• Same round complexity
-hiding assumption• O(1) communication per gate• O(depth) rounds
– Both expensive in computation
• Pushing computation to an extreme– poly-stretch PRG in NC0
• O(1) computation per gate• O(depth) rounds
Concluding Remarks
• Ambitious goals call for nonstandard assumptions.– especially when no heuristics are available
• Does “nonstandard” mean more risky?
– Factoring requires super-polynomial time vs.
– A “random” NC0 function is exponentially hard to invert