Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum ( Technion Princeton )

Part 1: Crypto in NC 0 – Survey -The basic question - Main results - Main tool: randomized encoding of functions Part 2: Crypto in CN 0 [AIK 07] -The basic question - Main results - Something about the proof Talk Outline

Part 1: Crypto in NC 0 ZK-Proofs Signature Encryption

Q: What computational resources are needed for cryptography? Can cryptographic primitives be computed by very simple functions? Efficiency of Cryptographic Primitives Currently the smallest creature in the complexity zoo Simple = each output bit depends on O(1) input bits = const. depth circuits with bounded fan-in = NC 0 NC 0 3 NC 0

Cryptography in NC 0 ? Tempting conjecture: crypto hardnesscomplex function Longstanding open question Håstad 87 Impagliazzo Naor 89 Goldreich 00 Cryan Miltersen 01 Krause Lucks 01 Mossel Shpilka Trevisan 03 Real-life motivation: super-fast cryptographic hardware [CM]: Yes [G]: No

Basic Primitives: One-way Function (OWF) f OWF Poly-time machine find x f -1 (y) Easy Hard x y

Basic Primitives: Pseudorandom Generator (PRG) Rand Src. G(Uin) Uout Poly-time machine Uin Pseudorandom or Random? stretch G Def. PRG is minimal if stretch=1

Positive results –PRG in NC 1 from factoring, discrete-log, lattices… –PRF in NC 1 from factoring [Naor Reingold 97] –PRG (sub-lin stretch) in AC 0 from subset sum [Impagliazzo Naor 89] Permutation in NC 0 which is P-complete to invert [ Håstad 87 ] Function in NC 0 which is NP-complete to invert [Agrawal Allender Rudich98] Heuristic construction of OWF/PRG in NC 0 [Goldreich 00 MST ] Negative results –No OWF in NC 0 2 [Goldreich 00, Cryan Miltersen 01] –No PRG with large stretch in NC 0 3, NC 0 4 [CM01, MosselShpilkaTrevisan03] Previous Work factoring, discrete-log, lattices, … subset sum impossible NC 0 2 NC 0 3 NC 0 4 NC 0 AC 0 NC 1 PRG / OWF NC 0 2 NC 1 AC 0 open low stretch /PRG MST 03

Our Approach Compile primitives in a relatively high complexity class into ones in NC 0. OWF locality 4 Compiler

Our Results

Caveats: We get PRG with sub-linear stretch decryption / verification not in NC 0 … –In fact, impossible to decrypt/verify in NC 0 –… But: can commit in NC 0 with decommit in NC 0 [AND] exist Sufficient Assumptions for Crypto in NC 0 OWF PRG Hash Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK Sym-Enc PK-Enc Signature Commit NIZK NC 1 NC 0 Assuming min-PRG in NC 1 OWF PRG Hash Sym-Enc PK-Enc Signature Commit NIZK factoring, discrete-log/DDH, lattices, … factoring P NC 1 NC 0 4 NIZKSignNI- Com PK-EncSym- Enc HashPRGOWF factoring [AIK 04] [AIK 05]

Note: non-black-box reductions! Blum Micali 82, Yao 82, Levin 85, Goldreich Krawczyk Luby 88, Håstad Impagliazzo Levin Luby 90, Goldreich Micali 84, Goldreich Goldwasser Micali 84, Goldwasser Micali Rivest 84, Bellare Micali 88, Naor Yung 89, Rompel 90, Naor 89, Impagliazzo Luby 89, … What about NC reductions? Much less is known…. New [AIK05] Thm. All are equivalent under poly-time reductions Parallel Reductions Between Primitives OWF min-PRG lin-PRG Commit Sym-Enc Signature Synthesizer NC 1 NC 0 Regular OWF NC 1 NC 0 PRF NC 0 HILL90 NR95 Naor89 AIK04 NC 0 GGM84

Our techniques give a PRG with sub-linear stretch - E.g., stretches n bits to n+n 0.5 bits Question: Are there PRGs in NC 0 with large stretch ? - E.g., linear stretch, G:{0,1} n {0,1} 2n (LPRG) Motivation: parallel stream ciphers Related work: - No Super-Linear PRG in NC 0 3, NC 0 4 [CM01, MST03] - Heuristic Super-Linear PRG in NC 0 5 [MST 03] PRG with large stretch in NC 0

Question: Are there PRGs in NC 0 with large stretch ? Thm. [AIK 06] : LPRG in NC 0 - from Algebraic assumption of [Alekhnovich 03] - (easily) implies Inapporximability of MAX 3SAT (no PCP!) - unlikely to be constructed via compiler PRG with large stretch in NC 0

Our Techniques

Main Tool: Randomized Encoding x y Enc(y) x g r f

f(x) = f(w) Randomized Encoding - Definition Correctness: f(x) can be efficiently decoded from g(x,r). Privacy: efficient simulator S s.t. S( f(x)) g(x,U) – g(x,U) depends only on f(x) f(x) f(w) r w g(w,U) g(x,U) r x r w g(w,U) g(x,U) r x

Randomized Encoding – Cont. Explicitly introduced by Ishai and Kushilevitz [IK 00] –Algebraic framework of randomizing polynomials –Motivation: information-theoretic secure multiparty computation –Weaker versions implicit in secure computation (e.g. [Kil 88, FKN94]) g is a randomized encoding of f –Nontrivial relaxation of computing f Want relaxation to be –Secure: g inherits security properties of f –Liberal: even complex f admit encodings g NC 0

Security of Randomized Encoding Thm. [AIK04]: preserves crypto hardness of most primitives –E.g., OWF, OWP, PRG, Sym-Enc, PK-Enc, Sign, MAC, Hash, Com, ZK –Also works for information-theoretic primitives ( -biased gens, extractors,…) –Different primitives require different variants of randomized encoding Paradigm for crypto w/low complexity: –Encode functions in complexity class HIGH by functions in LOW –Show that a primitive P can be implemented in HIGH –Conclude that P can be implemented in LOW

Part 2: Crypto in CN 0 [AIK07]

Till now we considered only NC 0 functions… Cryptography with Constant Input Locality NC 0 = const. depth circuits with bounded fan-in = each output bit depends on O(1) input bits input output input output CN 0 Input locality Output locality Q: Can cryptographic primitives be realized by functions in which each input bit affects a constant number of output bits?

Motivation I : Avalanche Property input output CN 0 Input locality Confusion/Diffusion, Avalanche [Shannon 49, Feistel 73]: input-output dependencies of a block cipher should be complex The important fact is that all output digits have potentially become very involved functions of all input digits [Feistel 73] Easily justified in block ciphers (or pseudorandom functions/permutations). Is it also true for other primitives?

unbounded fan-out Motivation II : Fast Crypto Hardware input output NC 0 Depth=O(1 ) Circuits of const. depth, const. fan-in, Functions of const. output locality & input locality input output NC 0 CN 0 const. fan-out

Motivation III : Complexity Theory k-Constraint Satisfaction Problem –X 1 + X 3 X 5 =0 – X 2 X 3 X 4 =1... -X 2 + X 3 + X 4 =1 Goal: Find a satisfying assignment Fact:Hard in many aspects: –Cook-Levin Theorem [C71,L73] : NP-hard – [C71]: Still NP-hard –PCP Theorem [ALMSS,AS 92] : NP-hard to approximate – [PY88]: Still NP-hard to approximate –OWF in NC 0 [AIK 04] : Cryptographically-hard Still Cryptographically-hard ? –OWF in NC 0 CN 0 YES List of constraints over n variables x 1,…,x n Each constraint involves k=O(1) variables Each variable appears in O(1) constraints Bounded-occurrence Still

[Goldreich 00] Heuristic OWF in NC 0 CN 0 [Mossel Shpilka Trevisan 03] Heuristic PRG in NC 0 CN 0 [AIK 04] Primitives in NC 0 from primitives in NC 1 –Primitives in NC 1 from standard assumptions (e.g., factoring, DLOG, lattices) OWFs, PRGs, Encryption, Signatures, Hash… in NC 0 from factoring [AIK 06] Linear PRG in NC 0 CN 0 from Assumption of [Alekhnovich 03] Previous Work NC 0 CN 0 McEliece OWF PRG most prims Rand linear code Alekhnovichs assumption Heuristic construction Factoring Crypto in CN 0 under standard assumptions?

A characterization of crypto tasks computable in CN 0 Main Result Impossible in CN 0 Message Authentication Codes Signatures Non-Malleable Encryption (symmetric, public-key) Possible in CN 0 One-Way Functions Pseudorandom Generators Commitment Schemes Semantically-Secure Encryption (symmetric, public-key ) * If hard to decode random binary linear code / learn parity w/noise ** If hard to break McEliece cryptosystem * * * * ** NC 0

[Goldreich 00] Heuristic OWF in NC 0 CN 0 [Mossel Shpilka Trevisan 03] Heuristic PRG in NC 0 CN 0 [AIK 04] Primitives in NC 0 from primitives in NC 1 –Primitives in NC 1 from standard assumptions (e.g., factoring, DLOG, lattices) OWFs, PRGs, Encryption, Signatures, Hash… in NC 0 from factoring [AIK 06] Linear PRG in NC 0 CN 0 from Assumption of [Alekhnovich 03] NC 0 CN 0 McEliece OWF PRG most prims Rand linear code Alekhnovichs assumption Heuristic construction Factoring Crypto in CN 0 under standard assumptions? OWF PRG Com PK Enc Previous Work

PRG with Optimal Locality Also get PRG with optimal input and output locality (namely, 3) NC 0 2 NC 0 3 NC 0 OWF/PRG NC 0 2 NC 1 NC 0 4 AC 0 NC 0 3 Open

Positive Results Proof Outline: Use the randomized encoding paradigm New Construction: encoding in CN 0 for functions with nice algebraic structure Assumption: Hardness of decoding random linear code / McEliece Assumption crypto primitives with nice algebraic structure Primitive with nice algebraic structure Primitive in CN 0 Decoding rand. linear code/McEliece

Encoding in CN 0 – Toy Example f(x) = (x 1 + x 2,x 1 + x 3,x 1 + x 4, x 1 + x 5 ) Goal: Reduce locality of x 1 without increasing locality of other vars Attempt 1 (chain): g(x) = (x 1 + x 2,-x 2 + x 3,-x 3 + x 4, -x 4 + x 5 ) Deterministic encoding ! Problem: Increased the locality of other vars Attempt 2 (replace): g(x,r) = (r 1 + x 2,r 2 + x 3,r 3 + x 4, r 4 + x 5 x 1 -r 1, x 1 -r 2, x 1 -r 3, x 1 -r 4 ) Problem: Didnt reduce the locality of x 1 Solution: Combine 1+2 (replace and chain) g(x,r) = (r 1 + x 2,r 2 + x 3,r 3 + x 4, r 4 + x 5 x 1 -r 1,x 1 -r 2, x 1 -r 3, x 1 -r 4 ) Locality: x 1 is 1, x 2,x 3,x 4,x 5 did not increase, r i s is 3 x 1 -r 1, r 1 -r 2, r 2 -r 3, r 3 -r 4 r1r1 r1r1 r1r1

Encoding in CN 0 – Toy Example f(x) = (x 1 + x 2,x 1 + x 3,x 1 + x 4, x 1 + x 5 ) Goal: Reduce locality of x 1 without increasing locality of other vars Solution: Combine 1+2 (replace and chain) g(x,r) = (r 1 + x 2,r 2 + x 3,r 3 + x 4, r 4 + x 5 Locality: x 1 is 1, x 2,x 3,x 4,x 5 did not increase, r i s is 3 x 1 -r 1, r 1 -r 2, r 2 -r 3, r 3 -r 4

Encoding in CN 0 – Toy Example f(x) = (x 1 + x 2,x 1 + x 3,x 1 + x 4, x 1 + x 5 ) Goal: Reduce locality of x 1 without increasing locality of other vars Solution: Combine 1+2 (replace and chain) g(x,r) = (r 1 + x 2,r 2 + x 3,r 3 + x 4, r 4 + x 5 x 1 -r 1, r 1 -r 2, r 2 -r 3, r 3 -r 4 x 1 +x 4 Correctness: To decode, add the corresponding entries. Privacy: g(x,r) distributed uniformly under correctness constraint. By iterating the basic gadget for every variable Corollary: every linear function can be encoded by function w/input locality 3

Encoding in CN 0 – Generalization rank(x 1 )= 2 Suppose that f is given in some additive form. f(x)= (x 1 x 2 +x 2 x 3 x 5, x 1 x 2 +x 2 x 4 x 5, x 1 x 2 +x 1 x 3 x 4, x 1 x 2 +x 2 x 5 ) rank(x i )= # of distinct terms in which x i appears Thm. f can be encoded by g such that: – input locality of x i is rank(x i ) – input locality of random inputs is at most 3. – output locality is not increased. Proof: Generalize previous construction. Corollary: If for every i, rank(x i )= O(1) g is in CN 0 [AIK04] If also algebraic degree = O(1) g is in CN 0 NC 0 Tightness: Some functions cannot be encoded with locality < rank(x i ) Some functions cannot be encoded in CN 0 (even w/non-efficient encoding). – Unlike NC 0 : every f has (non-efficient) encoding in NC 0 [AIK04]

Problem: Given M,y find x Params: m,. E.g., m=10n, = ¼. Assumption: Problem is computationally hard Well studied in Coding Theory/Learning Theory [Kearns98, BKW00, Lyu05, FGKP06] Assumption does not hold major breakthrough in Coding Theory Similar assumptions in [GKL93, BFKL93, Chab94, HB01, Reg05, JW05, KS06] Decoding Random Linear Code M x e n m iid noise vector: each bit is 1 w/prob. + public random binary matrix random binary info word = y

Problem has nice algebraic structure: linear function + some low-degree noise Can be used to construct primitives with low rank and low degree - e.g., OWF, PRG, Commitment Decoding Random Linear Code M x e n m + = y e i = r 2i-1 r 2i

Conclusions Cryptography in constant parallel time is possible Randomized encodings (of various types) are useful for this problem (and others…, e.g. MPC) Future Directions: Better encodings ?? Better implementations ?? Better (weaker) assumptions ?? More applications of randomized encoding ??

Thank You !