From Randomizing Polynomials to Parallel Algorithms - CS Technion
From Randomizing Polynomials to Parallel Algorithms Anat Paskin-Cherniavsky, Joint work with Yuval Ishai and Eyal Kuhsilevitz Technion, Israel Institute of Technology
Secure multi party computation (MPC) • A set of parties with private inputs wish to compute some joint function of their
inputs. • The protocol proceeds in rounds. • Parties wish to preserve some security properties. E.g., privacy and correctness: • Upto t parties can be corrupted. • Semi-honest setting: parties follow the protocol, but try to • Malicious setting: corrupted parties may behave arbitrarily.
learn extra information.
• Capturing it all: simulation-based security.
The real model.
How does the reduction work? • Step 1: Given p(x, r) • Convert vector of polynomials p to a single polynomial p0. • Makes distinguishing advantage exponentially small • This is the only non-uniform part of the construction. • Step 2: On input x, compare p0(x, R) with the distributions D0, D1. Output the
one that agrees.
• Reduce to counting roots of degree-2 • The technical core of this work.
The ideal model.
polynomials over finite fields
Fq .
Root counting for polynomials - background F [EK90]. • Degree-2: efficient sequential algorithms for all F [EK90,LN97].
• Degree-3 : #P-complete over all finite
• Parallel algorithm for Degree-2: Partial results for q = poly(n). [LN97] • Works for a subset of quadratic forms (polynomials where all monomials have degree 2).
• This work: NC algorithm for characteristic 2, NC for characteristic q > 2 for 3
• The output distributions are (unconditionally/ computationally) indistinguishable.
q = poly(n).
Efficient constant round MPC with t = Ω(n) • Possible for all (efficiently computable) functions with computational security
[BMR90]. • Big open question: What about unconditional security?
• Wide open even in the semi-honest model. • A useful avenue: use constant-degree polynomials representation [BGW88,BB89]. • Unfortunately: some functions require degree-n polynomials. • Luckily: All functions admit degree-3 randomizing polynomials! [IK00,IK02] • Not always efficient, of course.
Encoding functions via polynomials Focus on boolean functions f : F → {0, 1}. • Polynomials over a finite field F. • Deterministic vs. Randomized encoding:
• Input: p(x) ∈
F[x1, . . . , xn].
• First consider p2(x), the degree-2 part of p(x). • There exists a canonical form p0(x) equivalent to p2(x) under non-singular linear
substitution of variables [Arf41,LN97]. • Theory
is different between characteristic 2 and odd characteristic.
• Such substitutions preserve the number of roots. • Find such a substitution L (hardest part), and compute p0(x). • Count the number of roots of p0, m. Use m, L to count the roots of p(x).
• The problem: Given x ∈
• The “usual kind”: p(x1, . . . , xn), outputs a single value. • Randomizing polynomials: p(x, r) = (p1(x, r), . . . , p`(x, r)) - produces a distribution. • Correctness: For f (x) 6= f (x0), ∆(p(x, R), p(x0, R)) ≥ δ(n) for δ(n) = 1/2, where ∆ denotes the distance between the two distributions. • Privacy: p(x, R) can be (statistically/computationally) simulated given f (x).
Example OR(x1, . . . , xn) • Standard polynomial representation has degree n. • Randomizing polynomial p(x, r) = Σni=1xiri over F2. • D1 = p(x, R) is a random bit for OR(x) = 1 • D0 = p(x, R) = 0 for OR(x) = 0 (x = 0). • Correctness: distance 1 − 1/2 = 1/2. • Privacy: Indeed, p(0, R) = D0, otherwise p(x, R) = D1.
, folklore. 2 • Parallel NC Algorithm for “small” characteristic (q, ` = poly(n)) [FT88]. • Unknown to be in NC for “large” characteristic. • Our approach: as x · r2, r ∈ Fq` . • Use construction in (proof of) Theorem 1 to obtain the (NC2) algorithm. • Represent
Conclusion: Constructing efficient constant-degree randomizing polynomials suffices. • Efficient: |p| = poly(n). • Sufficient to consider degree-3 polynomials. [IK00] 2 • Known constructions: Capture subclasses of NC (functions computable by circuits of size poly(n) and depth O(log 2(n))) [IK00,IK02]. Large gap (between NC2 and poly).
• Our (partial) answer:
Theorem 1. Let F be any field of characteristic q ≤ poly(n). Suppose f has an efficient randomizing polynomials representation p(x, r) over Fq with degree 2 in r and constant degree in x. Then f ∈ NC2 for odd q and f ∈ NC3 for q = 2.
So, what does it mean? • Negative: A useful class of randomizing polynomials is not sufficient to solve big
open question for f beyond NC.
• Positive: Our proof is constructive: obtain a NC (NC ) circuit for f . • Construction is not generally uniform :( • A new mechanism for obtaining parallel algorithms! • All “creativity” is in finding the randomizing polynomial-representation. Hopefully simpler than “ad-hoc” solutions. 2
Fn×n or B ∈ Fn×n, find which one it is.
• Parallel: NC algorithm for testing similarity (stronger) [M86,BVH82]. • Our approach: • Let r, s random independent matrices in Fn×n. • Represent via p(x, (r, s)) = (rs, rxs). • Use construction in (proof of) Theorem 1 to obtain the (NC2 or NC3) algorithm. 2
Back to the main question
3
• Sequential algorithm: output x
q ` −1 2
• The problem: given x similar to A ∈
• The construction: • Represent f via randomizing polynomials p(x, r) of degree 3. • Let party Pi pick ri ∈ F at random. • Evaluate p(x, Σni=1ri) via some protocol for securely evaluating polynomials. (e.g [BGW88]) • Locally “decode” the output (using the best distinguisher between D0, D1).
known constructions satisfy the above degree bound.
Fq` (q is odd), output 1 iff. y 2 = x for some y ∈ Fq`.
Algorithmic application 2 - matrix similarity
Constant round MPC via randomizing polynomials [IK00]
• Most
Root counting - our approach
Algorithmic application 1 - quadratic residuosity
0n
•A
2
Open problems • Better understand the power of general constant-degree randomizing
polynomials.
• Total degree 3. • Statistical privacy.
• Use the current mechanism to find additional algorithmic applications. • Handle functions f with arbitrary range. • Current approach can handle a polynomial-size range.
Bibliography [Aik05] B. Applebaum, Y. Ishai, and E. Kushilevitz. Computationally private randomizing polynomials and their applications. [Arf41] A. Cahit. Untersuchungen über quadratische Formen in Körpern der Charakteristik 2, I. [BB89] J. Bar-Ilan, and D. Beaver. Non-cryptographic fault-tolerant computing in constant number of rounds of interaction. [BGW88] M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. [BMR90] D. Beaver, S. Micali, and P. Rogaway. The Round complexity of secure protocols. [BVH82] A. Borodin, J. Von Zur Gathen, and J.E. Hopcroft. Fast Parallel Matrix and GCD Computations. [EK90] A. Ehrenfeucht and M. Karpinski. The computational complexity of (XOR, AND)-counting problems. [FT88] F.E. Fich, M. Tompa. The parallel complexity of exponentiating polynomials over finite fields. [IK00] Y. Ishai and E. Kushilevitz. Randomizing polynomials: A new representation with applications to round-efficient secure computation. [IK02] Y. Ishai and E. Kushilevitz. Perfect Constant-Round Secure Computation via Perfect Randomizing Polynomials. [LN97] R. Lidl and H. Niederreiter. Introduction to finite fields and their applications. [M86] K. Mulmuley. A Fast Parallel Algorithm to Compute the Rank of a Matrix over an Arbitrary Field.
Secure multi party computation (MPC) • A set of parties with private inputs wish to compute some joint function of their
inputs. • The protocol proceeds in rounds. • Parties wish to preserve some security properties. E.g., privacy and correctness: • Upto t parties can be corrupted. • Semi-honest setting: parties follow the protocol, but try to • Malicious setting: corrupted parties may behave arbitrarily.
learn extra information.
• Capturing it all: simulation-based security.
The real model.
How does the reduction work? • Step 1: Given p(x, r) • Convert vector of polynomials p to a single polynomial p0. • Makes distinguishing advantage exponentially small • This is the only non-uniform part of the construction. • Step 2: On input x, compare p0(x, R) with the distributions D0, D1. Output the
one that agrees.
• Reduce to counting roots of degree-2 • The technical core of this work.
The ideal model.
polynomials over finite fields
Fq .
Root counting for polynomials - background F [EK90]. • Degree-2: efficient sequential algorithms for all F [EK90,LN97].
• Degree-3 : #P-complete over all finite
• Parallel algorithm for Degree-2: Partial results for q = poly(n). [LN97] • Works for a subset of quadratic forms (polynomials where all monomials have degree 2).
• This work: NC algorithm for characteristic 2, NC for characteristic q > 2 for 3
• The output distributions are (unconditionally/ computationally) indistinguishable.
q = poly(n).
Efficient constant round MPC with t = Ω(n) • Possible for all (efficiently computable) functions with computational security
[BMR90]. • Big open question: What about unconditional security?
• Wide open even in the semi-honest model. • A useful avenue: use constant-degree polynomials representation [BGW88,BB89]. • Unfortunately: some functions require degree-n polynomials. • Luckily: All functions admit degree-3 randomizing polynomials! [IK00,IK02] • Not always efficient, of course.
Encoding functions via polynomials Focus on boolean functions f : F → {0, 1}. • Polynomials over a finite field F. • Deterministic vs. Randomized encoding:
• Input: p(x) ∈
F[x1, . . . , xn].
• First consider p2(x), the degree-2 part of p(x). • There exists a canonical form p0(x) equivalent to p2(x) under non-singular linear
substitution of variables [Arf41,LN97]. • Theory
is different between characteristic 2 and odd characteristic.
• Such substitutions preserve the number of roots. • Find such a substitution L (hardest part), and compute p0(x). • Count the number of roots of p0, m. Use m, L to count the roots of p(x).
• The problem: Given x ∈
• The “usual kind”: p(x1, . . . , xn), outputs a single value. • Randomizing polynomials: p(x, r) = (p1(x, r), . . . , p`(x, r)) - produces a distribution. • Correctness: For f (x) 6= f (x0), ∆(p(x, R), p(x0, R)) ≥ δ(n) for δ(n) = 1/2, where ∆ denotes the distance between the two distributions. • Privacy: p(x, R) can be (statistically/computationally) simulated given f (x).
Example OR(x1, . . . , xn) • Standard polynomial representation has degree n. • Randomizing polynomial p(x, r) = Σni=1xiri over F2. • D1 = p(x, R) is a random bit for OR(x) = 1 • D0 = p(x, R) = 0 for OR(x) = 0 (x = 0). • Correctness: distance 1 − 1/2 = 1/2. • Privacy: Indeed, p(0, R) = D0, otherwise p(x, R) = D1.
, folklore. 2 • Parallel NC Algorithm for “small” characteristic (q, ` = poly(n)) [FT88]. • Unknown to be in NC for “large” characteristic. • Our approach: as x · r2, r ∈ Fq` . • Use construction in (proof of) Theorem 1 to obtain the (NC2) algorithm. • Represent
Conclusion: Constructing efficient constant-degree randomizing polynomials suffices. • Efficient: |p| = poly(n). • Sufficient to consider degree-3 polynomials. [IK00] 2 • Known constructions: Capture subclasses of NC (functions computable by circuits of size poly(n) and depth O(log 2(n))) [IK00,IK02]. Large gap (between NC2 and poly).
• Our (partial) answer:
Theorem 1. Let F be any field of characteristic q ≤ poly(n). Suppose f has an efficient randomizing polynomials representation p(x, r) over Fq with degree 2 in r and constant degree in x. Then f ∈ NC2 for odd q and f ∈ NC3 for q = 2.
So, what does it mean? • Negative: A useful class of randomizing polynomials is not sufficient to solve big
open question for f beyond NC.
• Positive: Our proof is constructive: obtain a NC (NC ) circuit for f . • Construction is not generally uniform :( • A new mechanism for obtaining parallel algorithms! • All “creativity” is in finding the randomizing polynomial-representation. Hopefully simpler than “ad-hoc” solutions. 2
Fn×n or B ∈ Fn×n, find which one it is.
• Parallel: NC algorithm for testing similarity (stronger) [M86,BVH82]. • Our approach: • Let r, s random independent matrices in Fn×n. • Represent via p(x, (r, s)) = (rs, rxs). • Use construction in (proof of) Theorem 1 to obtain the (NC2 or NC3) algorithm. 2
Back to the main question
3
• Sequential algorithm: output x
q ` −1 2
• The problem: given x similar to A ∈
• The construction: • Represent f via randomizing polynomials p(x, r) of degree 3. • Let party Pi pick ri ∈ F at random. • Evaluate p(x, Σni=1ri) via some protocol for securely evaluating polynomials. (e.g [BGW88]) • Locally “decode” the output (using the best distinguisher between D0, D1).
known constructions satisfy the above degree bound.
Fq` (q is odd), output 1 iff. y 2 = x for some y ∈ Fq`.
Algorithmic application 2 - matrix similarity
Constant round MPC via randomizing polynomials [IK00]
• Most
Root counting - our approach
Algorithmic application 1 - quadratic residuosity
0n
•A
2
Open problems • Better understand the power of general constant-degree randomizing
polynomials.
• Total degree 3. • Statistical privacy.
• Use the current mechanism to find additional algorithmic applications. • Handle functions f with arbitrary range. • Current approach can handle a polynomial-size range.
Bibliography [Aik05] B. Applebaum, Y. Ishai, and E. Kushilevitz. Computationally private randomizing polynomials and their applications. [Arf41] A. Cahit. Untersuchungen über quadratische Formen in Körpern der Charakteristik 2, I. [BB89] J. Bar-Ilan, and D. Beaver. Non-cryptographic fault-tolerant computing in constant number of rounds of interaction. [BGW88] M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. [BMR90] D. Beaver, S. Micali, and P. Rogaway. The Round complexity of secure protocols. [BVH82] A. Borodin, J. Von Zur Gathen, and J.E. Hopcroft. Fast Parallel Matrix and GCD Computations. [EK90] A. Ehrenfeucht and M. Karpinski. The computational complexity of (XOR, AND)-counting problems. [FT88] F.E. Fich, M. Tompa. The parallel complexity of exponentiating polynomials over finite fields. [IK00] Y. Ishai and E. Kushilevitz. Randomizing polynomials: A new representation with applications to round-efficient secure computation. [IK02] Y. Ishai and E. Kushilevitz. Perfect Constant-Round Secure Computation via Perfect Randomizing Polynomials. [LN97] R. Lidl and H. Niederreiter. Introduction to finite fields and their applications. [M86] K. Mulmuley. A Fast Parallel Algorithm to Compute the Rank of a Matrix over an Arbitrary Field.
