Cryptography with constant computational overhead

Current constructions of cryptographic primitives typically involve a large multiplicative computational overhead that grows with the desired level of security. We explore the possibility of implementing basic cryptographic primitives, such as encryption, authentication, signatures, and secure two-party computation, while incurring only a constant computational overhead compared to insecure implementations of the same tasks. Here we make the usual security requirement that the advantage of any polynomial-time attacker must be negligible in the input length. We obtain affirmative answers to this question for most central cryptographic primitives under plausible, albeit sometimes nonstandard, intractability assumptions. We start by showing that pairwise-independent hash functions can be computed by linear-size circuits, disproving a conjecture of Mansour, Nisan, and Tiwari (STOC 1990). This construction does not rely on any unproven assumptions and is of independent interest. Our hash functions can be used to construct message authentication schemes with constant overhead from any one-way function. Under an intractability assumption that generalizes a previous assumption of Alekhnovich (FOCS 2003), we get (public and private key) encryption schemes with constant overhead. Using an exponentially strong version of the previous assumption, we get signature schemes of similar complexity. Assuming the existence of pseudorandom generators in NC z with polynomial stretch together with the existence of an (arbitrary) oblivious transfer protocol, we get similar results for the seemingly very complex task of secure two-party computation. More concretely, we get general protocols for secure two-party computation in the semi-honest model in which the two parties can be implemented by circuits whose size is a constant multiple of the size s of the circuit to be evaluated. In the malicious model, we get protocols whose communication complexity is a constant multiple of s and whose computational complexity is slightly super-linear in s. For natural relaxations of security in the malicious model that are still meaningful in practice, we can also keep the computational complexity linear in s. These results extend to the case of a constant number of parties, where an arbitrary subset of the parties can be corrupted. Our protocols rely on non-black-box techniques, and suggest the intriguing possibility that the ultimate efficiency in this area of cryptography can be obtained via such techniques.

[1]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[2]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[3]  Noam Nisan,et al.  The computational complexity of universal hashing , 1990, Proceedings Fifth Annual Structure in Complexity Theory Conference.

[4]  Noga Alon,et al.  Construction of asymptotically good low-rate error-correcting codes through pseudo-random graphs , 1992, IEEE Trans. Inf. Theory.

[5]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[6]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[7]  Rafail Ostrovsky,et al.  Zero-knowledge from secure multiparty computation , 2007, STOC '07.

[8]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[9]  Yuval Ishai,et al.  On Pseudorandom Generators with Linear Stretch in NC0 , 2006, computational complexity.

[10]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[11]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[12]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[13]  J. L. Bordewijk Inter-reciprocity applied to electrical networks , 1957 .

[14]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[15]  Oded Goldreich,et al.  How to Solve any Protocol Problem - An Efficiency Improvement , 1987, CRYPTO.

[16]  Luca Trevisan,et al.  On e-Biased Generators in NC0 , 2003, FOCS.

[17]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[18]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[19]  Benny Pinkas,et al.  Efficient Private Matching and Set Intersection , 2004, EUROCRYPT.

[20]  Elchanan Mossel,et al.  On ε‐biased generators in NC0 , 2006, Random Struct. Algorithms.

[21]  Yuval Ishai,et al.  Cryptography with Constant Input Locality , 2007, Journal of Cryptology.

[22]  Riccardo Pucella Joint review of Foundations of cryptography: basic tools by O. Goldreich. Cambridge University Press. and Modelling and analysis of security protocols by P. Ryan and S. Schneider. Addison Wesley. , 2003, SIGA.

[23]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[24]  Yuval Ishai,et al.  Computationally Private Randomizing Polynomials and Their Applications , 2005, Computational Complexity Conference.

[25]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, TCC.

[26]  Peter Bro Miltersen,et al.  On pseudorandom generators in NC 0 ⋆ , 2001 .

[27]  Oded Goldreich,et al.  The Bit Extraction Problem of t-Resilient Functions (Preliminary Version) , 1985, FOCS.

[28]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[29]  Moni Naor,et al.  Small-Bias Probability Spaces: Efficient Constructions and Applications , 1993, SIAM J. Comput..

[30]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[31]  J. Bordewijk Inter-reciprocity applied to electrical networks , 1957 .

[32]  Warren D. Smith 1. AES seems weak. 2. Linear time secure cryptography , 2007, IACR Cryptol. ePrint Arch..

[33]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[34]  Elchanan Mossel,et al.  On /spl epsiv/-biased generators in NC/sup 0/ , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[35]  Donald Beaver,et al.  Correlated pseudorandomness and the complexity of private computations , 1996, STOC '96.

[36]  Avi Wigderson,et al.  Randomness conductors and constant-degree lossless expanders , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[37]  Silvio Micali,et al.  Why and how to establish a private code on a public network , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[38]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[39]  Venkatesan Guruswami,et al.  Expander-based constructions of efficiently decodable codes , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[40]  Moni Naor,et al.  Communication preserving protocols for secure function evaluation , 2001, STOC '01.

[41]  Peter Bro Miltersen,et al.  On Pseudorandom Generators in NC , 2001, MFCS.

[42]  Donald Beaver,et al.  Precomputing Oblivious Transfer , 1995, CRYPTO.

[43]  Yuval Ishai,et al.  On Pseudorandom Generators with Linear Stretch in NC0 , 2006, APPROX-RANDOM.

[44]  Yuval Ishai,et al.  Cryptography in NC0 , 2004, SIAM J. Comput..

[45]  Amir Shpilka,et al.  On ε-Biased Generators in NC , 2003 .

[46]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[47]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[48]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[49]  Yuval Ishai,et al.  Perfect Constant-Round Secure Computation via Perfect Randomizing Polynomials , 2002, ICALP.

[50]  Oded Goldreich,et al.  The bit extraction problem or t-resilient functions , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[51]  Moni Naor,et al.  A minimal model for secure computation (extended abstract) , 1994, STOC '94.

[52]  Daniel A. Spielman,et al.  Expander codes , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[53]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[54]  Daniel A. Spielman,et al.  Linear-time encodable and decodable error-correcting codes , 1995, STOC '95.