Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is not the case for non-cryptographic PRGs such as ε-biased generators, for which we do obtain unconditional results.
- 2.
Indeed, the low noise-sensitivity of AC 0 functions (cf. [137, Lemma 6.6]) allows us to efficiently distinguish them from truly random function, e.g., by querying the function on a pair of random points which are \(1/\sqrt{n}\)-close to each other in Hamming distance.
- 3.
From here on, we use a crude classification of PRGs into ones having sublinear, linear, or superlinear additive stretch. Note that a PRG stretching its seed by just one bit can be invoked in parallel (on seeds of length n ε) to yield a PRG stretching its seed by n 1−ε bits, for an arbitrary ε>0. Also, an NC 0 PRG with some linear stretch can be composed with itself a constant number of times to yield an NC 0 PRG with an arbitrary linear stretch.
- 4.
In some of these constructions it seems necessary to allow a collection of NC 1 PRGs, and use polynomial-time preprocessing to pick (once and for all) a random instance from this collection. This is similar to the more standard notion of OWF collection (cf. [70, Sect. 2.4.2]). See Appendix 4.9 for further discussion of this slightly relaxed notion of PRG.
- 5.
In fact, a modified version of this approach has been applied for constructing randomizing polynomials in [49].
- 6.
Barrington’s theorem generalizes to apply over arbitrary non-solvable groups. Unfortunately, there are no such groups whose order is a power of two.
- 7.
The following construction generalizes naturally to a (counting) mod-p BP, computing a function f:{0,1}n→Z p . In this work, however, we will only be interested in the case p=2.
- 8.
We will later show a degree-preserving transformation from a distributional OWF to a OWF (Lemma 6.2); however, in the current context the standard transformation suffices.
- 9.
- 10.
We can also increase the stretch factor by using the standard construction of Goldreich-Micali [70, Sect. 3.3.2]. In this case the locality of G′ will be d ⌈(c′−1)/(c−1)⌉.
- 11.
The seminal work of [86] gives a polynomial-time transformation which can be implemented in NC 1 only in special cases, e.g., when the OWF is one-to-one or “regular”, or in a nonuniform setting where an additional nonuniform advice of logarithmic length is employed by the construction. (See [82, 86] and [15, Remark 6.6].) Indeed, in older versions of this section [15], which predates [83] the following results (Theorem 4.8, Remark 4.5) were obtained only for the case of regular OWFs.
- 12.
Viola, in a concurrent work [138], obtains an AC 0 reduction of this type.
- 13.
Note that there exists a PRG with locality 3 if and only if there exists a PRG with degree 2. The “if” direction follows from Lemma 4.2 and Lemma 4.7, while the “only if” direction follows from Claim 3.1 and the fact that each output of an NC 0 PRG must be balanced.
- 14.
In fact, the generator of [112, Theorem 13] is in \(\mathrm{nonuniform}\mbox {-}\mathbf{NC}^{0}_{5}\) (and it has a slightly superlinear stretch). However, a similar construction gives an ε-biased generator in uniform NC 0 with degree 2 and linear stretch. (The locality of this generator is large but constant.) This can be done by replacing the probabilistic construction given in [112, Lemma 12] with a uniform construction of constant-degree bipartite expander with some “good” expansion properties – such a construction is given in [44, Theorem 7.1].
- 15.
A degree 1 generator contains more than n linear functions over n variables, which must be linearly dependent and thus biased. The non-existence of a 2-local generator follows from the fact that every nonlinear function of two input bits is biased.
- 16.
Indeed, in the current model of (non-uniform) space-bounded computation with one-way access to the input (and two-way access to the advice), there exist a boolean function \(\hat{M}\) computable in sublinear space and a linear function S such that the composed function \(\hat{M}(S(\cdot))\) is not computable in sublinear space. For instance, let \(\hat{M}(y_{1},\ldots,y_{2n})=y_{1}y_{2}+y_{3}y_{4}+\cdots+y_{2n-1}y_{2n}\) and S(x 1,…,x 2n )=(x 1,x n+1,x 2,x n+2,…,x n ,x 2n ).
- 17.
Our NC 0 signing algorithm is probabilistic but this is unavoidable. Indeed, while a signing algorithm may generally be deterministic (see [72, p. 506]), an NC 0 signing algorithm cannot be deterministic as in this case an adversary can efficiently learn it and use it to forge messages.
- 18.
A modification of this scheme remains secure even if we replace Send with a randomized encoding which is only statistically-correct. However, in this modification we cannot use the canonical decommitment stage. Instead, the receiver should verify the decommitment by applying the decoder B to \(\hat{c}\) and comparing the result to the computation of the original sender; i.e., the receiver checks whether \(B(\hat{c})\) equals to Send(b,r). A disadvantage of this alternative decommitment is that it does not enjoy the enhanced parallelism feature discussed below. Also the resulting scheme is only statistically binding.
- 19.
Note that unlike the key-generation algorithm, which can be applied “once and for all”, the domain sampler should be invoked for each application of the primitive.
References
Agrawal, M., Allender, E., Rudich, S.: Reductions in circuit complexity: an isomorphism theorem and a gap theorem. J. Comput. Syst. Sci. 57(2), 127–143 (1998)
Ajtai, M.: Generating hard instances of lattice problems. In: Proc. 28th STOC, pp. 99–108 (1996). Full version in Electronic Colloquium on Computational Complexity (ECCC)
Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proc. of 29th STOC, pp. 284–293 (1997)
Alekhnovich, M.: More on average case vs approximation complexity. In: Proc. of 44th FOCS, pp. 298–307 (2003)
Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0. SIAM J. Comput. 36(4), 845–888 (2006). Preliminary version in Proc. of 45th FOCS, 2004
Babai, L., Nisan, N., Szegedy, M.: Multiparty protocols and logspace-hard pseudorandom sequences. In: Proc. of 21st STOC, pp. 1–11 (1989)
Barrington, D.A.: Bounded-width polynomial-size branching programs recognize exactly those languages in NC1. In: Proc. of 18th STOC, pp. 1–5 (1986)
Blum, M.: Coin flipping by telephone: a protocol for solving impossible problems. SIGACT News 15(1), 23–27 (1983)
Blum, M., Goldwasser, S.: An efficient probabilistic public-key encryption scheme which hides all partial information. In: Advances in Cryptology: Proc. of CRYPTO ’84. LNCS, vol. 196, pp. 289–302 (1985)
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13, 850–864 (1984). Preliminary version in FOCS 82
Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing chosen ciphertext security of encryption schemes. In: Advances in Cryptology: Proc. of CRYPTO ’03. LNCS, vol. 2729, pp. 565–582 (2003)
Capalbo, M., Reingold, O., Vadhan, S., Wigderson, A.: Randomness conductors and constant-degree lossless expanders. In: Proc. of 34th STOC, pp. 659–668 (2002)
Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2), 230–261 (1988)
Cramer, R., Fehr, S., Ishai, Y., Kushilevitz, E.: Efficient multi-party computation over rings. In: Advances in Cryptology: Proc. of EUROCRYPT ’03, pp. 596–613 (2003)
Cryan, M., Miltersen, P.B.: On pseudorandom generators in NC0. In: Proc. of 26th MFCS (2001)
Damgård, I.B.: Collision free hash functions and public key signature schemes. In: Proc. of Eurocrypt’87, pp. 203–216 (1988)
Damgård, I.B., Pedersen, T.P., Pfitzmann, B.: On the existence of statistically hiding bit commitment schemes and fail-stop signatures. In: Advances in Cryptology: Proc. of CRYPTO ’93. LNCS, vol. 773, pp. 250–265 (1994)
Feigenbaum, J.: Locally random reductions in interactive complexity theory. In: Advances in Computational Complexity Theory. DIMACS Series on Discrete Mathematics and Theoretical Computer Science, vol. 13, pp. 73–98 (1993)
Gamal, T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Advances in Cryptology: Proc. of CRYPTO ’84. LNCS, vol. 196, pp. 10–18 (1985). Also published in IEEE Transactions on Information Theory IT-31(4) (1985)
Goldberg, A.V., Kharitonov, M., Yung, M.: Lower bounds for pseudorandom number generators. In: Proc. of 30th FOCS, pp. 242–247 (1989)
Goldreich, O.: Modern Cryptography, Probabilistic Proofs and Pseudorandomness. Algorithms and Combinatorics, vol. 17. Springer, Berlin (1998)
Goldreich, O.: Candidate one-way functions based on expander graphs. Electron. Colloq. Comput. Complex. 7, 090 (2000)
Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, Cambridge (2001)
Goldreich, O.: Foundations of Cryptography: Basic Applications. Cambridge University Press, Cambridge (2004)
Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. Electron. Colloq. Comput. Complex. 96, 042 (1996)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33, 792–807 (1986)
Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(2), 167–189 (1996)
Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: Proc. of 21st STOC, pp. 25–32 (1989)
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984). Preliminary version in Proc. of STOC ’82
Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. In: Advances in Cryptology: Proc. of CRYPTO ’06, pp. 22–40 (2006)
Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: Proc. of 42nd STOC, pp. 437–446 (2010)
Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Advances in Cryptology: Proc. of CRYPTO ’96. LNCS, vol. 1109, pp. 201–215 (1996)
Håstad, J.: One-way permutations in NC0. Inf. Process. Lett. 26, 153–155 (1987)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Hsiao, C.Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Advances in Cryptology: Proc. of CRYPTO ’04. LNCS, vol. 3152, pp. 92–105 (2004)
Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: Proc. of 30th FOCS, pp. 230–235 (1989)
Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptol. 9, 199–216 (1996)
Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation. In: Proc. of 41st FOCS, pp. 294–304 (2000)
Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Proc. of 29th ICALP, pp. 244–256 (2002)
Kharitonov, M.: Cryptographic hardness of distribution-specific learning. In: Proc. of 25th STOC, pp. 372–381 (1993)
Kilian, J.: Founding cryptography on oblivious transfer. In: Proc. of 20th STOC, pp. 20–31 (1988)
Linial, N., Mansour, Y., Nisan, N.: Constant depth circuits, Fourier transform, and learnability. J. ACM 40(3), 607–620 (1993). Preliminary version in Proc. of 30th FOCS, 1989
Mossel, E., Shpilka, A., Trevisan, L.: On ε-biased generators in NC0. In: Proc. of 44th FOCS, pp. 136–145 (2003)
Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4, 151–158 (1991)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004). Preliminary version in Proc. of 38th FOCS, 1997
Nisan, N.: Pseudorandom generators for space-bounded computation. Combinatorica 12(4), 449–461 (1992)
Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Advances in Cryptology: Proc. of CRYPTO ’91. LNCS, vol. 576, pp. 129–149 (1991)
Rabin, M.O.: Digitalized signatures and public key functions as intractable as factoring. Technical Report 212, LCS, MIT (1979)
Regev, O.: New lattice based cryptographic constructions. In: Proc. of 35th STOC, pp. 407–416 (2003)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Viola, E.: The complexity of constructing pseudorandom generators from hard functions. Comput. Complex. 13(3–4), 147–188 (2005)
Viola, E.: On constructing parallel pseudorandom generators from one-way functions. In: Proc. of 20th Conference on Computational Complexity (CCC), pp. 183–197 (2005)
Yao, A.C.: Theory and application of trapdoor functions. In: Proc. of 23rd FOCS, pp. 80–91 (1982)
Yao, A.C.: How to generate and exchange secrets. In: Proc. of 27th FOCS, pp. 162–167 (1986)
Yu, X., Yung, M.: Space lower-bounds for pseudorandom-generators. In: Proc. of 9th Structure in Complexity Theory Conference, pp. 186–197 (1994)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Applebaum, B. (2014). Cryptography in NC 0 . In: Cryptography in Constant Parallel Time. Information Security and Cryptography. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17367-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-17367-7_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17366-0
Online ISBN: 978-3-642-17367-7
eBook Packages: Computer ScienceComputer Science (R0)