Randomizing polynomials: A new representation with applications to round-efficient secure computation

Motivated by questions about secure multi-party computation, we introduce and study a new natural representation of functions by polynomials, which we term randomizing polynomials. "Standard" low-degree polynomials over a finite field are easy to compute with a small number of communication rounds in virtually any setting for secure computation. However, most Boolean functions cannot be evaluated by a polynomial whose degree is smaller than their input size. We get around this barrier by relaxing the requirement of evaluating f into a weaker requirement of randomizing f: mapping the inputs of f along with independent random inputs into a vector of outputs, whose distribution depends only on the value of f. We show that degree-3 polynomials are sufficient to randomize any function f, relating the efficiency of such a randomization to the branching program size of f. On the other hand, by characterizing the exact class of Boolean functions which can be randomized by degree-2 polynomials, we show that 3 is the minimal randomization degree of most functions. As an application, randomizing polynomials provide a powerful, general, and conceptually simple tool for the design of round-efficient secure protocols. Specifically, the secure evaluation of any function can be reduced to a secure evaluation of degree-3 polynomials. One corollary of this reduction is that two (respectively, three) communication rounds are sufficient for k parties to compute any Boolean function f of their inputs, with perfect information-theoretic [k-1/3]-privacy (resp., [k-1/2]-privacy), and communication complexity which is at most quadratic in the branching program size of f (with a small probability of one-sided error).

[1]  Eric Allender,et al.  The complexity of matrix rank and feasible systems of linear equations , 1999, computational complexity.

[2]  David A. Mix Barrington,et al.  Representing Boolean functions as polynomials modulo composite numbers , 1992, STOC '92.

[3]  Shi-Chun Tsai Lower bounds on representing Boolean functions as polynomials in Z/sub m/ , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[4]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[5]  Silvio Micali,et al.  The Round Complexity of Secure Protocols (Extended Abstract) , 1990, STOC 1990.

[6]  William Hugh Murray,et al.  Modern Cryptography , 1995, Information Security Journal.

[7]  Noam Nisan,et al.  On the degree of boolean functions as real polynomials , 1992, STOC '92.

[8]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[9]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[10]  Joan Feigenbaum,et al.  Security with Low Communication Overhead , 1990, CRYPTO.

[11]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[12]  Ueli Maurer,et al.  General Secure Multi-party Computation from any Linear Secret-Sharing Scheme , 2000, EUROCRYPT.

[13]  Richard J. Lipton,et al.  New Directions In Testing , 1989, Distributed Computing And Cryptography.

[14]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[15]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[16]  Jun Tarui Randomized Polynomials, Threshold Circuits, and the Polynomial Hierarchy , 1991, STACS.

[17]  Anna Gál,et al.  On arithmetic branching programs , 1998, Proceedings. Thirteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat. No.98CB36247).

[18]  Richard Beigel,et al.  The polynomial method in circuit complexity , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[19]  Joe Kilian,et al.  One-Round Secure Computation and Secure Autonomous Mobile Agents , 2000, ICALP.

[20]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[21]  Avi Wigderson NL/poly /spl sube/ /spl oplus/L/poly , 1994, Proceedings of IEEE 9th Annual Conference on Structure in Complexity Theory.

[22]  Moni Naor,et al.  A minimal model for secure computation (extended abstract) , 1994, STOC '94.

[23]  Yuval Ishai,et al.  Private simultaneous messages protocols with applications , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.

[24]  Moti Yung,et al.  Non-interactive cryptocomputing for NC/sup 1/ , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[25]  Roman Smolensky,et al.  Algebraic methods in the theory of lower bounds for Boolean circuit complexity , 1987, STOC.

[26]  Ivan Damgård,et al.  Secure Distributed Linear Algebra in a Constant Number of Rounds , 2001, CRYPTO.

[27]  Donald Beaver Minimal-Latency Secure Function Evaluation , 2000, EUROCRYPT.

[28]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[29]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[30]  Shi-Chun Tsai,et al.  Lower Bounds on Representing Boolean Functions as Polynomials in Zm , 1996, SIAM J. Discret. Math..

[31]  A. Razborov Lower bounds on the size of bounded depth circuits over a complete basis with logical addition , 1987 .

[32]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[33]  Oded Goldreich,et al.  The Bit Extraction Problem of t-Resilient Functions (Preliminary Version) , 1985, FOCS.

[34]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.