TY - GEN
T1 - Encoding functions with constant online rate or how to compress garbled circuits keys
AU - Applebaum, Benny
AU - Ishai, Yuval
AU - Kushilevitz, Eyal
AU - Waters, Brent
PY - 2013
Y1 - 2013
N2 - Randomized encodings of functions can be used to replace a "complex" function f(x) by a "simpler" randomized mapping f̂(x;r) whose output distribution on an input x encodes the value of f(x) and hides any other information about x. One desirable feature of randomized encodings is low online complexity. That is, the goal is to obtain a randomized encoding f̂ of f in which most of the output can be precomputed and published before seeing the input x. When the input x is available, it remains to publish only a short string x̂, where the online complexity of computing x̂ is independent of (and is typically much smaller than) the complexity of computing f. Yao's garbled circuit construction gives rise to such randomized encodings in which the online part x̂ consists of n encryption keys of length κ each, where n = |x| and κ is a security parameter. Thus, the online rate |x̂|/|x| of this encoding is proportional to the security parameter κ. In this paper, we show that the online rate can be dramatically improved. Specifically, we show how to encode any polynomial-time computable function f:{0,1}n → {0,1}m(n) with online rate of 1 + o(1) and with nearly linear online computation. More concretely, the online part x̂ consists of an n-bit string and a single encryption key. These constructions can be based on the decisional Diffie-Hellman assumption (DDH), the Learning with Errors assumption (LWE), or the RSA assumption. We also present a variant of this result which applies to arithmetic formulas, where the encoding only makes use of arithmetic operations, as well as several negative results which complement our positive results. Our positive results can lead to efficiency improvements in most contexts where randomized encodings of functions are used. We demonstrate this by presenting several concrete applications. These include protocols for secure multiparty computation and for non-interactive verifiable computation in the preprocessing model which achieve, for the first time, an optimal online communication complexity, as well as non-interactive zero-knowledge proofs which simultaneously minimize the online communication and the prover's online computation.
AB - Randomized encodings of functions can be used to replace a "complex" function f(x) by a "simpler" randomized mapping f̂(x;r) whose output distribution on an input x encodes the value of f(x) and hides any other information about x. One desirable feature of randomized encodings is low online complexity. That is, the goal is to obtain a randomized encoding f̂ of f in which most of the output can be precomputed and published before seeing the input x. When the input x is available, it remains to publish only a short string x̂, where the online complexity of computing x̂ is independent of (and is typically much smaller than) the complexity of computing f. Yao's garbled circuit construction gives rise to such randomized encodings in which the online part x̂ consists of n encryption keys of length κ each, where n = |x| and κ is a security parameter. Thus, the online rate |x̂|/|x| of this encoding is proportional to the security parameter κ. In this paper, we show that the online rate can be dramatically improved. Specifically, we show how to encode any polynomial-time computable function f:{0,1}n → {0,1}m(n) with online rate of 1 + o(1) and with nearly linear online computation. More concretely, the online part x̂ consists of an n-bit string and a single encryption key. These constructions can be based on the decisional Diffie-Hellman assumption (DDH), the Learning with Errors assumption (LWE), or the RSA assumption. We also present a variant of this result which applies to arithmetic formulas, where the encoding only makes use of arithmetic operations, as well as several negative results which complement our positive results. Our positive results can lead to efficiency improvements in most contexts where randomized encodings of functions are used. We demonstrate this by presenting several concrete applications. These include protocols for secure multiparty computation and for non-interactive verifiable computation in the preprocessing model which achieve, for the first time, an optimal online communication complexity, as well as non-interactive zero-knowledge proofs which simultaneously minimize the online communication and the prover's online computation.
UR - http://www.scopus.com/inward/record.url?scp=84884493672&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-40084-1_10
DO - 10.1007/978-3-642-40084-1_10
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84884493672
SN - 9783642400834
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 166
EP - 184
BT - Advances in Cryptology, CRYPTO 2013 - 33rd Annual Cryptology Conference, Proceedings
T2 - 33rd Annual International Cryptology Conference, CRYPTO 2013
Y2 - 18 August 2013 through 22 August 2013
ER -