![Page 1: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/1.jpg)
The Complexity ofInformation-TheoreticSecure Computation
Yuval Ishai
Technion
2014 European School of Information Theory
![Page 2: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/2.jpg)
Information-Theoretic Cryptography
• Any question in cryptography that makes sense even if everyone is computationally unbounded
• Typically: unconditional security proofs
• Focus of this talk: Secure Multiparty Computation (MPC)
![Page 3: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/3.jpg)
Talk Outline
• Gentle introduction to MPC• Communication complexity of MPC
– PIR, LDC, and related problems• Open problems
![Page 4: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/4.jpg)
How much do we earn?
Goal: compute xi without revealing anything else
x1
x2
x3
x4
x5
x6
xi
![Page 5: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/5.jpg)
A better way?
x1
x2
x3
x4
x5
x6
0≤r<MAssumption: xi<M (say, M=1010)(+ and – operations carried modulo M)
m1=r+x1
m2=m1+x2
m3=m2+x3 m4=m3+x4
m5=m4+x5
m6=m5+x6
m6-r
![Page 6: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/6.jpg)
A security concern
x1
x2
x3
x4
x5
x6
m1
m2=m1+x2
![Page 7: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/7.jpg)
Resisting collusions
x1
x2
x3
x4
x5
x6
r43
r12 r16
r65
r51
r32r25
xi + inboxi - outboxi
![Page 8: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/8.jpg)
• P1,…,Pk want to securely compute f(x1,…,xk)– Up to t parties can collude– Should learn (essentially) nothing but the output
• Questions– When is this at all possible?– How efficiently?
More generally
• Information-theoretic (unconditional) security possible when t<k/2 [BGW88,CCD88,RB89]
• Computational security possible for any t (under standard cryptographic assumptions) [Yao86,GMW87,CLOS02]
Or: information-theoretic security using correlated randomness [Kil88,BG89]
Secure MPC protocol for fSimilar feasibility results for security against malicious parties
![Page 9: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/9.jpg)
• P1,…,Pk want to securely compute f(x1,…,xk)– Up to t parties can collude– Should learn (essentially) nothing but the output
• Questions– When is this at all possible?– How efficiently?
More generally
• Several efficiency measures: communication, randomness, rounds, computation
• Typical assumptions for rest of talk:* t=1, k = small constant* information-theoretic security* “semi-honest” parties, secure channels
![Page 10: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/10.jpg)
Communication Complexity
![Page 11: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/11.jpg)
Fully Homomorphic Encryption
Gentry ‘09
• Settles main communication complexity questions in complexity-based cryptography– Even under “nice” assumptions! [BV11]
• Main open questions– Further improve assumptions – Improve practical computational overhead
• FHE >> PKE >> SKE >> one-time pad
![Page 12: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/12.jpg)
One-Time Pads for MPC
• Offline:– Set G[u,v] = f[u-dx, v-dy] for random dx, dy– Pick random GA,GB such that G = GA+GB
– Alice gets GA,dx Bob gets GB,dy
• Protocol on inputs (x,y):– Alice sends u=x+dx, Bob sends v=y+dy– Alice sends zA= RA[u,v], Bob sends zB= RB[u,v]
– Both output z=zA+zB
0 1 1 0 12 1 0 1 02 0 1 2 00 1 1 0 1
dy
dx
TrustedDealer
Alice
Bob
f(x,y)
f(x,y)
RA
RB
)x(
)y(
]IKMOP13[
![Page 13: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/13.jpg)
3-Party MPC for g(x,y,z)
Carol (z)
Alice
Bob
g(x,y,z)
RA
RB
)x(
)y(
zA
zB
• Define f((x,zA),(y,zB)) = g(x,y,zA+zB)
![Page 14: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/14.jpg)
One-Time Pads for MPC
• The good:– Perfect security– Great online communication
• The bad:– Exponential offline communication
• Can we do better?– Yes if f has small circuit complexity– Idea: process circuit gate-by-gate
• k=3, t=1: can use one-time pad approach • k>2t: use “multiplicative” (aka MPC-friendly) codes • Communication circuit size, rounds circuit depth
![Page 15: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/15.jpg)
MPC vs. Communication Complexity
a b
c
Communication Complexity MPC
Goal Each party learns f(a,b,c)
Each party learns only f(a,b,c)
![Page 16: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/16.jpg)
a b
c
Communication Complexity MPC
Goal Each party learns f(a,b,c)
Each party learns only f(a,b,c)
Upper bound O(n))n = input length(
O(size(f))]BGW88,CCD88[
MPC vs. Communication Complexity
![Page 17: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/17.jpg)
a b
c
Communication Complexity MPC
Goal Each party learns f(a,b,c)
Each party learns only f(a,b,c)
Upper bound O(n))n = input length(
O(size(f))]BGW88,CCD88[
Lower bound (n) )for most f(
(n) )for most f(
Big open question: poly(n) communication for all f ?
“fully homomorphic encryption ofinformation-theoretic cryptography”
MPC vs. Communication Complexity
![Page 18: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/18.jpg)
Question Reformulated
Is the communication complexity of MPC strongly correlated with the computational complexity of the function being computed?
efficientlycomputablefunctions
All functions
=communication-efficient MPC
=no communication-efficient MPC
![Page 19: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/19.jpg)
[KT00]
1990 1995
2000
• The three problems are closely related
[IK04]
![Page 20: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/20.jpg)
xi
???
database x {0,1}∈ n
“Information-Theoretic”
vs.Computation
al
Main question:minimize communication
)logn vs. n(
Private Information Retrieval [Chor-Goldreich-Kushilevitz-Sudan95]
![Page 21: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/21.jpg)
A Simple I.T. PIR Protocol
S2
i
i
X
n1/2
n1/2
q2 q1
a2=X·q2 a1=X·q1
S1
q1 + q2 = ei
2-server PIR with O(n1/2) communication
a1+a2=X·ei
![Page 22: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/22.jpg)
0 1 1 0 1 1 1
0 1 1 0 0 0 0 0 1
Tool: (linear) homomorphic encryption
Protocol:
a b a+b =
n1/2
n1/2
i
X=
• Client sends E(ei)E(0) E(0) E(1) E(0) (=c1 c2 c3 c4)
• Server replies with E(X·ei)c2c3
c1 c2c3
c1c2
c4
• Client recovers ith column of X 1-server CPIR with ~ O(n1/2) communication
A Simple Computational PIR Protocol[Kushilevitz-Ostrovsky97]
![Page 23: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/23.jpg)
Why Information-Theoretic PIR?Cons:• Requires multiple servers• Privacy against limited collusions• Worse asymptotic complexity (with const. k):
2(logn)^ [Yekhanin07,Efremenko09] vs. polylog(n) [Cachin-Micali-Stadler99, Lipmaa05, Gilboa-I14]
Pros:• Interesting theoretical question• Unconditional privacy• Better “real-life” efficiency• Allows for very short (logarithmic) queries or very short
(constant-size) answers • Closely related to locally decodable codes & friends
![Page 24: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/24.jpg)
Locally Decodable Codes
Requirements:• High robustness• Local decoding
x y
i
Question: how large should m(n) be in a k-query LDC?
n}1,0{ m
k=2: 2(n) k=3: 22^O~(sqrt(logn)) (n2)
If < 1% of y is corrupted, xi is recovered w/prob > 0.51
![Page 25: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/25.jpg)
From I.T. PIR to LDC [Katz-Trevisan00]
• Uniform PIR queries “smooth” LDC decoder robustness
• Arrows can be reversed
k-server PIR with -bit queries and -
bit answers
k-query LDC of length 2
over ={0,1}
y[q]=Answer(x,q)
Simplifying assumptions:• Servers compute same function of (x,q)• Each query is uniform over its support set
Binary LDC PIR with one answer bit per server
![Page 26: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/26.jpg)
Applications of Local Decoding
• Coding
– LDC, Locally Recoverable Codes (robustness)– Batch Codes (load balancing)
• Cryptography – Instance Hiding, PIR (secrecy)– Efficient MPC for “worst” functions
• Complexity theory– Locally random reductions, PCPs– Worst-case to average-case reductions,
hardness amplification
![Page 27: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/27.jpg)
Complexity of PIR: Total Communication
• Mainly interesting for k=2• Upper bound (k=2): O(n1/3) [CGKS95]
– Tight in a restricted model [RY07]
• Lower bound (k=2): 5logn [Man98,…,WW05]• No natural coding analogue
![Page 28: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/28.jpg)
Complexity of PIR: Short Answers
• Short answers = O(1) bit from each server
– Closely related to k-query binary LDCs
• k=2– Simple O(n) upper bound [CGKS05]
• PIR analogue of Hadamard code
– Ω(n) lower bound [GKST02, KdW04]
• k > logn / loglogn– Simple polylog(n) upper bound [BF90,CGKS05]
• PIR analogue of RM code
– Binary LDCs of length poly(n) and k=polylog(n) queries
![Page 29: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/29.jpg)
Complexity of PIR: Short Answers
• k=3
– Lower bound• [KdW04,…,Woo07] 2logn
– Upper bounds• [CGKS95] O(n1/2)• [Yekhanin07] nO(1/loglogn) • [Efremenko09] nO~(1/sqrt(logn))
Assuming infinitely many Mersenne primes
More practical variant[BIKO12]
![Page 30: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/30.jpg)
Complexity of PIR: Short Answers
• k=4,5,6,…
– Lower bound• [KdW04,…,Woo07] c(k).logn
– Upper bounds• [CGKS95] O(n1/k-1)• [Yekhanin07] nO(1/loglogn) • [Efremenko09] nO~(1/(logn)^c’(k))
Assuming infinitely many Mersenne primes
![Page 31: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/31.jpg)
Complexity of PIR: Short Queries
• Short queries = O(logn) bit to each server
– Closely related to poly(n)-length LDCs over large Σ– Application: PIR with preprocessing [BIM00]
• k=2,3,4,…– Answer length = O(n1/k+ε) [BI01]– Lower bounds: ???
![Page 32: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/32.jpg)
Complexity of PIR: Low Storage
• Different servers may store different functions of x
– Goal: minimize communication subject to storage rate=1-ε– Corresponds to binary LDCs with rate 1-ε
• Rate = 1-ε, k=O(nε), 1-bit answers– Multiplicity codes [DGY11]– Lifting of affine-invariant codes [GKS13]– Expander codes [HOW13]
![Page 33: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/33.jpg)
Best 2-Server PIR[CGKS95,BI01]
• Reduce to private polynomial evaluation over F2
– Servers: x p = degree-3 polynomial in m≈n1/3 vars.– Client: i z F∈ 2
m
– Local mappings must satisfy px(zi)=xi for all x,i
– Simple implementation: z(i) = i-th weight-3 binary vector
• Privately evaluate p(z) – Client:
• splits z into z=a+b, where a,b are random• sends a to S1 and b to S2
– Servers: • write p(z)=p(a+b) as pa(b)+pb(a) where deg(pa),deg(pb) ≤ 1,
pa known to S1, and pb known to S2
• Send descriptions of pa,pb to Client, who outputs pa(b)+pb(a)
• d=O(logn) O(logn)-bit queries, O(n1/2+ε)-bit answers
![Page 34: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/34.jpg)
Tool: Secret Sharing• Randomized mapping of secret s to shares (s1,s2,…,sk)
– Linear secret sharing: shares = L(s,r1,…,rm)
• Access structure: subset A of 2[k] specifying authorized sets– Sets of shares not in A should reveal nothing about s– Optimal share complexity for given A is wide open– Here: k=3, each share hides s, all shares determine s
• Useful examples for linear schemes– Additive sharing: s=s1+s2+s3
– Shamir’s secret sharing: si=p(i) where p(x)=s+rx
– CNF secret sharing: s=r1+r2+r3, s1=(r2,r3), s2=(r1,r3), s3=(r2,r3)
– CNF is “maximal”, Additive is “minimal”
• For any linear scheme: [v], x [<v,x>] (without interaction)– PIR with short answers reduces to client sharing [ei] while hiding i
– Enough to share a multiple of [ei]
![Page 35: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/35.jpg)
Tool: Matching Vectors[Yek07,Efr09, DGY10]
• Vectors u1,…,un in Zmh are S-matching if:
– <ui,ui> = 0
– <ui,uj> S (0 S)∈ ∉
• Surprising fact: super-polynomial n(h) when m is a composite– For instance, n=hO(logh) for m=6, S={1,3,4}– Based on large set systems with restricted intersections modulo m [BF80, Gro00]
• Matching vectors can be used to compress “negated” shared unit vector– [v] = [<ui,u1>, <ui,u2>, …,<ui,un>]
– v is 0 only in i-th entry
• Apply local share conversion to obtain shares of [v’], where v’ is nonzero only in i-th entry– Efremenko09: share conversion from Shamir’ to additive, requires large m– Beimel-I-Kushilevitz-Orlov12: share conversions from CNF to additive, m=6,15,…
![Page 36: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/36.jpg)
Matching Vectors & Circuits
x1 x2 x3 xh
VC-dim
mod6 mod6 mod6 mod6 mod6 mod6
2h^logh < << 22^h
Actual dimension wide open; related to size of:• Set systems with restricted intersections [BF80, Gro00]• Matching vector sets [Yek07,Efr09, DGY10]• Degree of representing “OR” modulo m [BBR92]
![Page 37: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/37.jpg)
Share ConversionGiven: CNF shares of s mod 6
s=0 s’0s0 s’=0
s=1,3,4
![Page 38: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/38.jpg)
• Goal: find N subsets Ti of [h] such that:– |Ti|1 (mod 6)
– |TiTj| {0,3,4} (mod 6)
• h = query length; N = database size • [Frankl83]: h=, N=
– h 7N1/4
• Better asymptotic constructions exist
Big Set System with Limited mod-6 Intersections
![Page 39: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/39.jpg)
r-clique11
11
113
h= N=|Ti|==551 (mod 6)
|TiTj|=, 3t 10 {0,3,4} (mod 6)
Big Set System with Limited mod-6 Intersections
![Page 40: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/40.jpg)
PIR MPC• Arbitrary polylogarithmic 3-server PIR
MPC with poly(|input|) communication [IK04]• Applications of computationally efficient PIR [BIKK14]
– 2-server PIR OT-complexity of secure 2-party computation– 3-server PIR Correlated randomness complexity
• Applications of “decomposable” PIR [BIKK14]– Private simultaneous messages protocols– Secret-sharing for graph access structures
![Page 41: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/41.jpg)
Open Problems: PIR and LDC
• Understand limitations of current techniques– Better bounds on matching vectors?– More powerful share conversions?
• t-private PIR with no(1) communication
– Known with 3t servers [Barkol-I-Weinreb08]– Related to locally correctable codes
• Any savings for (classes) of polynomial-time f:{0,1}n{0,1} ?
• Barriers for strong lower bounds?– [Dvir10]: strong lower bounds for locally correctable codes
imply explicit rigid matrices and size-depth lower bounds.
![Page 42: The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory](https://reader037.vdocument.in/reader037/viewer/2022103112/551a7ae3550346b52d8b53cb/html5/thumbnails/42.jpg)
Open Problems: MPC
• High end: understand complexity of “worst” f– O(2n^) vs. (n)– Closely related to PIR and LDC
• Mid range: nontrivial savings for “moderately hard” f?• Low end: bounds on amortized rate of finite f
– In honest-majority setting– Given noisy channels