Computationally private randomizing polynomials and their applications

Randomizing polynomials allow to represent a function f(x) by a low-degree randomized mapping f̂(x,r) whose output distribution on an input x is a randomized encoding of f(x). It is known that any function f in ⊕L/poly (and in particular in NC ¹) can be efficiently represented by degree-3 randomizing polynomials. Such a degree-3 representation gives rise to an NC ₄ ⁰ representation, in which every bit of the output depends on only 4 bits of the input. In this paper, we study the relaxed notion of computationally private randomizing polynomials, where the output distribution of f̂(x, r) should only be computationally indistinguishable from a randomized encoding of f(x). We construct degree-3 randomizing polynomials of this type for every polynomial-time computable function, assuming the existence of a cryptographic pseudorandom generator (PRO) in ⊕L/poly. (The latter assumption is implied by most standard intractability assumptions used in cryptography.) This result is obtained by combining a variant of Yao's garbled circuit technique with previous "information-theoretic" constructions of randomizing polynomials. We then present the following applications: Relaxed assumptions for cryptography in NC ⁰. Assuming a PRG in ⊕L/poly, the existence of an arbitrary public-key encryption, commitment, or signature scheme implies the existence of such a scheme in NC ₄ ⁰. Previously, one needed to assume the existence of such schemes in ⊕L/po/y or similar classes. New parallel reductions between cryptographic primitives. We show that even some relatively complex cryptographic primitives, including (state-less) symmetric encryption and digital signatures, are NC ⁰-reducible to a PRG. No parallel reductions of this type were previously known, even in NC. Our reductions make a non-black-box use of the underlying PRG. Application to secure multi-party computation. Assuming a PRG in ⊕L/poly, the task of computing an arbitrary (polynomial-time computable) function with computational security efficiently reduces to that of securely computing degree-3 polynomials. This gives rise to new, conceptually simpler, constant-round protocols for general functions.