on the cryptographic complexity of the worst functions amos beimel (bgu) yuval ishai (technion)...

On the Cryptographic Complexity of the Worst Functions

Amos Beimel (BGU)Yuval Ishai (Technion) Ranjit Kumaresan (Technion)Eyal Kushilevitz (Technion)

How Bad are the Worst Functions?Function class FN of all functions f : [N][N] {0,1}

This work: Cryptographic complexity of the worst functions

Standard Complexity Theoretic Measures

• Circuit complexity• (N2/log N)

[Sha48,Lup58]• 2-party communication

complexity• (log N) [Yao79]

Information-theoreticCryptography

• Communication complexity• Randomness complexity

Model

Security Model• Information-theoretic

• Unbounded adversaries• Statistical/perfect security

• Semi-honest adversary • No deviation from protocol

Functions• Function class FN : Class of

all two argument functions f : [N] [N] {0,1}

• Interested in worst f FN

Crypto Primitives• Secure Computation

• Various models• Communication/randomness

• Secret Sharing• Share complexity

Secure ComputationWhat is Known?

Information Theoretic Security• Honest majority [RB89,BGW88]• 2-party in the OT-hybrid or

preprocessing model [Kil88,Bea95]• Impossible in plain model [Kus89]

• Private Simultaneous Messages [FKN94]

x

f1(x,y)

y

f2(x,y)

• Best upper bounds linear in N– Sublinear if big honest majority [BFKR90,IK04]

• Counting arguments yield weak lower bounds

Can communication complexity be made logarithmic in N?

2-Party Secure Computation (2PC)

Information Theoretic Security• Impossible in plain model [Kus89]• OT-hybrid/preprocessing model• Popular protocols [GMW87, Y86]

Information-theoretic garbled circuits [Yao86]

• Depends on circuit structure• Quadratic in formula

depth• Exponential in depth

overhead for circuits

GMW [GMW87]• Gate-by-gate evaluation

of given circuit• #OTs required:

Twice #AND gates• Communication cost:

Twice #AND gates

x

f1(x,y)

y

f2(x,y)

What is Known?

OT-Hybrid Model

x0 , x1

???

b

xb

OT Extension• Impossible in information

theoretic setting [Bea97]• OT as an “atomic currency”

Pre-computation• Random OT correlations

can be “corrected” [Bea95]

Complete• Given ideal OT oracle, can

get information theoretic 2-party secure computation [Kil88,GV88]

d = c b

z0 = x0yd

z1 = x1y1-d

y0 , y1 c, yc

zbyc

x0 , x1 b

x0 , x1 b

xb

Oblivious Transfer [Rab81,EGL85]

*Slide created before revelations

OT ComplexityOT Complexity of a function f

Number of (bit) OTs required to securely evaluate f

This work: O(N2/3) OT complexity

??? f(x,y)

x yf(x,1)f(x,2)

. .

f(x,N)

y

Circuit based 2PC: • O(N2/log N) [GMW87] Truth-table based 2PC: • O(N) via1-out-of-N OT

• 1-out-of-N OT from O(N) 1-out-of-2 OTs [BCR86]

• Let FN be the class of all 2-party f : [N] [N] {0,1}

• What is the OT complexity of the worst function in FN?

Preprocessing Model

Correlated Randomness• Independent of inputs• May depend on f

Correlated Randomness

Offline Phase

Online Phase

x

rBrA

y

rBrA

f(x,y) f(x,y)

OT Correlations• Special case

• Pre-computed OTs• “Simpler” correlations

• Indep. of function

Correlated Randomness Complexity

Correlated Randomness Complexity of a function fSize of correlated randomness required to securely evaluate f

O(log N) online communication [IKMOP13]• Correlated randomness: O(N2)Truth-table based 2PC: O(N)• Via 1-out-of-N OT [BCR86]

This work: 2Õ(log N) correlated randomness

• Let FN be the class of all 2-party f : [N] [N] {0,1}

• Correlated randomness complexity of the worst function in FN?

Private Simultaneous Messages (PSM)

r

Model [FKN94]• Multiple clients

• Share randomness• Single referee• Non-interactive• Referee learns only f(x,y)• No collusionx yr

f (x,y)

Why PSM?• Minimal model of secure computation [FKN94]• Applications in round-efficient protocol design [IKP10]• Connections to secret sharing! [BI01]

What is Known?

f(x,1)f(x,2)

. .

f(x,N)

[FKN94,IK97]• Efficient for f with

small formulas, branching programs

• Worst case f : O(N)• Lower bound: 3logN-4

f(x,1+s) + r1

f(x,2+s) + r2

. .

f(x,N+s) + rN

y-s, ry-s

f(x,y)

PSM ComplexityPSM Complexity of a function f

Communication complexity of PSM protocol for f

This work: O(N) PSM complexity

rx yr

r = s, (r1, …, rN)

• What is the PSM complexity of the worst function in FN?

Secret Sharing

Model • External dealer + n parties• Dealer has input secret s

• Sends “shares” to parties• Then, inactive

• Access structure• Set of “authorized” subsets

• Secret hidden from unauth. subsets• Any auth. subset can reconstruct s

What is Known?

Poly(n) share complexity for every n-party access structure?

Share ComplexitySize of each share

• Best upper bound: 2O(n) [BL90,Bri89,KW93]• Best lower bound: (n/log n) [Csi97]

Share Complexity

Forbidden Graph [SS97]• Graph G = (V,E) with |V| = N• Authorized subsets:

• Sets {u,v} with (u,v) E• Any set of size 3

Forbidden Graph Access Structures

• Naïve solution: O(N) [SS97,BL90]• O(N/log N) share complexity [BDGV96,EP97,Bub86]

This work: O(N) share complexity

• What is the share complexity of the worst N-vertex graph?

Talk Outline• Main Technical Tool – PIR

• OT Complexity

• Correlated Randomness Complexity

• PSM Complexity

• Share Complexity for Forbidden Graphs

Private Information RetrievalModel [CGKS95]

• Single client• Multiple servers• Each server has same DB

• Size of DB = N (bits)• DB unknown to client

• Client input: index i [N]• Privately retrieve DB[ i ]• No collusion among servers• Goal: min. communication

i

DB DB

Query generation• (q1, q2) Q(i , r)

Answer generation• ak A( k, qk , DB)

Reconstruction• z R(i , r, a1, a2)

Best Known PIR Schemes2-server: O(N1/3) [CGKS95]

3-server: 2Õ(log N) [Yek07,Efr09]

rq1

a1 a2

q2

q1 q2

a1 a2z

Talk Outline• Main Technical Tool – PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity

• PSM Complexity

• Share Complexity for Forbidden Graphs

2-server PIR

OT-Hybrid Model (Recap)

• Let FN be the class of all 2-party f : [N] [N] {0,1}

• What is the OT complexity of the worst function in FN?

OT Complexity of a function fNumber of (bit) OTs required to securely evaluate f

• Circuit based 2PC for worst f : • O(N2/log N) [GMW87]

• Truth-table based 2PC for worst f : • O(N), 1-out-of-N OT [BCR86]

• OT is “complete”• Pre-computation• No OT extension

x0 , x1 b

xb

O(N2/3) Upper Bound on OT Complexity

Notation• PIR Algorithms: Q, A, R

• (q1, q2) Q(i , r) • ak A( k, qk , DB) • z R(i , r, a1, a2)

• Circuit for alg. B: C(B)• |C(B)|= #ANDs in C(B)

Via 2-server PIR

x yr1 r2

q1 q2

GMW(C(Q’))

Q’ = Q(x||y, r1r2)

R’ = R(x||y, r1r2, a1, a2)

x yr1 r2

GMW(C(R’))

a1 = A(1, q1, f ) a2 = A(2, q2, f )

a1 a2

f(x,y) f(x,y)

High-level ideaUse 2 party secure computation to emulate client + 2 PIR servers• DB = truth table of f• Client query = x||y

O(N2/3) Upper Bound on OT Complexity

Efficiency• 2-server PIR [CGKS95]• |C(Q)|=|C(R)|= O(N2/3)• By property of GMW:

• O(N2/3) OT comp. • O(N2/3) communication

Via 2-server PIR

x yr1 r2

q1 q2

GMW(C(Q’))

Q’ = Q(x||y, r1r2)

R’ = R(x||y, r1r2, a1, a2)

x yr1 r2

GMW(C(R’))

a1 = A(1, q1, f ) a2 = A(2, q2, f )

a1 a2

f(x,y) f(x,y)

Privacy• Privacy of GMW• Privacy of 2-server PIR

• Query does not leak additional info

More Applications• Honest majority secure computation

– Efficient in circuit size [RB89,BGW88]– Specific setting: n = 3 parties with at most 1 corruption– Communication 2Õ(log N) via 3-server PIR

• “ - Secure Sampling” from joint distribution D [PP12]– Protocol lets Alice & Bob to sample (x,y) from D

• Alice knows nothing about y (over what is implied by D)• Bob knows nothing about x (over what is implied by D)

– Rate of secure sampling D [N] [N] from OT– New upper bound: O(N2/3 poly(log N, 1/))

Talk Outline• Main Technical Tool – PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity– Upper bound: 2Õ( log N)

• PSM Complexity

• Share Complexity for Forbidden Graphs

2-server PIR

3-server PIR

Preprocessing Model (Recap)Correlated Randomness

Offline Phase Correlated Randomness• Independent of inputs• May depend on f• OT correlations special case

Online Phase

x y

rBrA

f(x,y) f(x,y)

rBrA

Correlated Randomness Complexity of a function f

Size of correlated randomness required to securely evaluate f

Truth-table based 2PC: O(N)• Via 1-out-of-N OT [BCR86]

Correlated randomness complexity of the worst function in FN?

Correlated Randomness Complexity:

Via 3-server PIR2O(log N) Upper Bound

Offline Phase

Key Observation• Individual PIR query

independent of input• Q = (Q1,2 , Q3)

• (q1, q2) Q1,2(i, r)• q3 Q3 (r)

High-level ideaUse 2 party secure computation to emulate client + 3 PIR servers• DB = truth table of f• Client query = x||y

r1 r2

r1 r2

q3=Q3(r1 r2)

a3 = A(3, q3, f )

a3,1 a3,2

a3 = a3,1a3,2

OTA OTB

a3,1 OTA OTB a3,2

Correlated Randomness Complexity:2O(log N) Upper Bound

x y

q1 q2

GMW(C(Q’))

Q’ = Q1,2(x||y, r1r2)

R’ = R(x||y, r1r2, a1, a2, a3,1a3,1)

x y

GMW(C(R’))

a1 = A(1, q1, f ) a2 = A(2, q2, f )

a1 a2

f(x,y) f(x,y)

r1 r2

r1 r2a3,1 a3,2

Online Phase

Correlated Randomness• Shares of randomness for

PIR query generation alg.• Shares of answer to third

PIR query• OT correlations for GMW

Notation• PIR Algorithms: Q, A, R• Circuit for alg. B: C(B)• |C(B)|= #ANDs in C(B)

Correlated Randomness Complexity:2O(log N) Upper Bound

x y

q1 q2

GMW(C(Q’))

Q’ = Q1,2(x||y, r1r2)

R’ = R(x||y, r1r2, a1, a2, a3,1a3,1)

x y

GMW(C(R’))

a1 = A(1, q1, f ) a2 = A(2, q2, f )

a1 a2

f(x,y) f(x,y)

r1 r2

r1 r2a3,1 a3,2

a3,1 a3,2

Efficiency• 3-server PIR [Efr09]• |C(Q)|=|C(R)|=2Õ(log N)

• By property of GMW:• 2Õ(log N) OT correlations • 2Õ(log N) communication

• Correlated rand.: 2Õ(log N)

Privacy• Additive secret sharing• Privacy of GMW• Privacy of 3-server PIR

• Query does not leak additional info

Improving the Bounds?

• (OT + communication) complexity of 2PC– Bounded by communication complexity of 2-server PIR

• Client shares its input, then acts as OT oracle

• (Cor. Rand. + communication) complexity of 2PC – Bounded by communication comp. of 3-server PIR [IKM+13]

• 3rd server provides correlated randomness to servers 1 & 2

• Qualitative explanation of difference in efficiency – 2-server PIR ~ 2PC with OT preprocessing– 3-server PIR ~ 2PC with arbitrary preprocessing

Summary• Main Technical Tool – PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity– Upper bound: 2Õ( log N)

• PSM Complexity– Upper bound: O(N)

• Share Complexity for Forbidden Graphs– Upper bound: O(N)

2-server PIR

3-server PIR

4-server PIR

Using PSM above

Thank You!

Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx

Talk Outline• Main Technical Tool – PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity– Upper bound: 2Õ( log N)

• PSM Complexity– Upper bound: O(N)

• Share Complexity for Forbidden Graphs– Upper bound: O(N)

2-server PIR

3-server PIR

4-server PIR

Using PSM above

Share Complexity (Recap)Forbidden Graph Access Structures

• O(N/log N) share complexity [DPGV96,EP97,B86]

Share ComplexitySize of each share

Model • External dealer + n parties• Dealer inactive after sending “shares”• Access structure: “authorized” subsets

Forbidden Graph [SS97]• Graph G = (V,E) with |V| = N• Authorized subsets:

• Sets {u,v} with (u,v) E• Any set of size 3

• What is the share complexity of the worst N-vertex graph?

Bipartite CaseForbidden Bipartite Graph

• Graph G = (L,R,E) with |L| = |R| = N• Authorized subsets:

• {x,y} with x L, y R, (x,y) E• Any set of size 3

• G associated with f :[N][N] {0,1}

Secret Sharing• Share s using 3-out-of-2N

Shamir secret sharing• Also secret share s = sL sR s’

• Send sL to x L• Send sR to y R• How to share s’ ?

PSM & Secret Sharing

PSM NotationShared rand. : rAlice with input x • Message: Af (x,r)Bob with input y• Message: Bf (y,r)

Secret Sharing Scheme for s’

If dealer input s’ = 0• x L : Af (x0,r) • y R : Bf (y0,r)If dealer input s’ = 1• x L : Af (x ,r) • y R : Bf (y ,r)

High-level IdeaShares :• PSM messagesReconstruction :• PSM reconstructionAf (x,r) Bf (y,r)

r

x L y R

Good for s’ = 1

For s’ = 0Pick some x0, y0 s.t f (x0 , y0) = 0

Forbidden Graph Access Structures

• From Bipartite to General Graphs– Decomposed into log N bipartite graphs– Apply standard techniques [BL90,Sti94]

• Forbidden graph access structures – O(N) share complexity– Via O(N) PSM

• Scheme is non-linear (?)– Matches best known lower bound for linear

schemes: (N) [Min12]

Summary• Cryptographic complexity of worst functions

– Main Technical Tool - PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity– Upper bound: 2Õ( log N)

• PSM Complexity– Upper bound: O(N)

• Share Complexity for Forbidden Graphs– Upper bound: O(N)

2-server PIR

3-server PIR

4-server PIR

Using PSM above

Thank You!

Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx

Talk Outline• Main Technical Tool – PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity– Upper bound: 2Õ( log N)

• PSM Complexity– Upper bound: O(N)

• Share Complexity for Forbidden Graphs

2-server PIR

3-server PIR

4-server PIR

PIR Examples [CGKS95]

i

DB DB

A(1,T1)

2d server PIR with O(N1/d) communication

T cT{c}, if c TT \{c}, if c T

PIR Answers

DB[ j ] j T

A(2,T2)

z = A(1,T1) A(2,T2)

T1 T2

T1PIR Queries

• T1 R [N]• T2 = T1 i

T2

Efficiency• Client Server j : O(N) bits• Server j Client : 1 bit

PIR Examples [CGKS95]

i

DB DB

A(1, T00...0)

2d server PIR with O(N1/d) communication

PIR Answers

DB[k1,…, kd] k1T1’,…,kdTd’

DB as d-dim. hypercubeIndex i (i1, … , id)• Binary rep of (i -1) A(2d,T11…1)

z = A(1,T00..0) A(2d,T11..1 )

S1 S2d

T00...0

Efficiency• Client Server j : O(dN1/d) bits• Server j Client : 1 bit

PIR QueriesPick (T1 , … , Td) R [N1/d]d

Server k : Query T • (T1(k1 i1), … ,Td(kd id))

where k (k1,…, kd)

k1 , … , kd

dT11…1

Reducing the #Servers [CGKS95]

Key ObservationAny server can emulate d other

servers with cost O(N1/d)

Example: 2-server O(N1/3) PIRServer 1: Query T000 = (T1 , T2 , T3)List “potential” queries for T100: (T1t, T2 , T3) for t [N1/3]Similarly for T010: (T1, T2t, T3) & T001: (T1, T2, T3t)

Answer query & 3N1/3 “potential” queriesServer 2: Query T111 =(T1 i1, T2 i2, T3 i3)List “potential” queries for T011 ,T101 , T110

Answer query & 3N1/3 “potential” queriesClient picks correct answer in each answer list and XORs them

Query T for Server k(T1(k1 i1), … ,Td(kd id))

where k ( k1,…, kd)

k1 , … , kd

Private Simultaneous Messages (Recap)Model [FKN94]

• Single referee• Two (or more) clients• Non-interactive• Referee learns only f(x,y)• Clients share randomness

• Unknown to referee• All parties know f• No collusion

rx yr

f(x,y)

PSM Complexity of a function fCommunication complexity of PSM protocol for f

Efficient for small-depth formulaeWorst case f : O(N) [FKN94]

• What is the PSM complexity of the worst function in FN?

O(N) Upper Bound on PSM ComplexityVia 4-server PIR

Key Observation• Index i (i1 , i2 , i3 , i4)• Input x specifies i1, i2

• Input y specifies i3, i4

• 15 of 16 servers emulated by clients

High-level ideaClients use shared randomness & referee’s help to emulate client + 3 PIR servers in 4-server PIR scheme of [CGKS95]• DB = truth table of f• Client query i = x||y

4-server PIR [CGKS95]Obtained by collapsing basic

16-server O(N1/4) PIR scheme

rx yr

f(x,y)

Query + Answer GenerationAlice knows T1 i1 , T2 i2

• Answers for T**00

• “Potential” answers for T**01, T**10

Bob knows T3 i3 , T4 i4

• Answers for T00**

• “Potential” answers for T01**, T10**

Missing query T1111 equals• (T1 i1 , T2 i2, T3 i3 , T4 i4)Answer to T1111 computed by referee

O(N) Upper Bound on PSM ComplexityVia 4-server PIR

Query T for Server k(T1(k1 i1), … ,T4(k4 i4))

where k ( k1,…, k4)

k1 , … , kd

x yT0000=(T1,…,T4)i1 i2 i3 i4

T**00 T00**T1 i1 T2 i2 T3 i3 T4 i4

T**01 T**10 T01** T10**

T1111

Key Observation• i (i1 , i2 , i3 , i4)• x specifies i1, i2

• y specifies i3, i4

Query + Answer Generation

• Answers for T**00,T00**

• “Potential” answers for T**01, T**10 , T01**, T10**

• Referee answers T1111

O(N) Upper Bound on PSM ComplexityVia 4-server PIR

ReconstructionSelecting from “potential” answer list• Use known PSM (small-depth circuit)• PSM outputs XOR of these 15 answers Remaining answer computed by referee• Finally, XORs this with PSM output

Referee’s reconstruction function is “non-universal”

Summary• Cryptographic complexity of worst functions

– Main Technical Tool - PIR

• OT Complexity– Upper bound: O(N2/3)

• Correlated Randomness Complexity– Upper bound: 2Õ( log N)

• PSM Complexity– Upper bound: O(N)

• Share Complexity for Forbidden Graphs– Upper bound: O(N)

2-server PIR

3-server PIR

4-server PIR

Using PSM above

Thank You!

Preliminary Version: www.cs.umd.edu/~ranjit/BIKK.pdfSlides: www.cs.umd.edu/~ranjit/BIKK.pptx

The research leading to these results has received funding from the European Union's Seventh Framework

Programme (FP7/2007-2013) under grant agreement no. 259426 – ERC – Cryptography and Complexity