Skip to main content
SpringerLink
Log in

Cryptography in NC 0

  • Chapter
Cryptography in Constant Parallel Time

Part of the book series: Information Security and Cryptography ((ISC))

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This is not the case for non-cryptographic PRGs such as ε-biased generators, for which we do obtain unconditional results.

  2. 2.

    Indeed, the low noise-sensitivity of AC 0 functions (cf. [137, Lemma 6.6]) allows us to efficiently distinguish them from truly random function, e.g., by querying the function on a pair of random points which are \(1/\sqrt{n}\)-close to each other in Hamming distance.

  3. 3.

    From here on, we use a crude classification of PRGs into ones having sublinear, linear, or superlinear additive stretch. Note that a PRG stretching its seed by just one bit can be invoked in parallel (on seeds of length n ε) to yield a PRG stretching its seed by n 1−ε bits, for an arbitrary ε>0. Also, an NC 0 PRG with some linear stretch can be composed with itself a constant number of times to yield an NC 0 PRG with an arbitrary linear stretch.

  4. 4.

    In some of these constructions it seems necessary to allow a collection of NC 1 PRGs, and use polynomial-time preprocessing to pick (once and for all) a random instance from this collection. This is similar to the more standard notion of OWF collection (cf. [70, Sect. 2.4.2]). See Appendix 4.9 for further discussion of this slightly relaxed notion of PRG.

  5. 5.

    In fact, a modified version of this approach has been applied for constructing randomizing polynomials in [49].

  6. 6.

    Barrington’s theorem generalizes to apply over arbitrary non-solvable groups. Unfortunately, there are no such groups whose order is a power of two.

  7. 7.

    The following construction generalizes naturally to a (counting) mod-p BP, computing a function f:{0,1}nZ p . In this work, however, we will only be interested in the case p=2.

  8. 8.

    We will later show a degree-preserving transformation from a distributional OWF to a OWF (Lemma 6.2); however, in the current context the standard transformation suffices.

  9. 9.

    Rabin’s factoring-based OWP collection [123] seems insufficient for our purposes, as it cannot be defined over the set of all strings of a given length. The standard modification (cf. [72, p. 767]) does not seem to be in ⊕L/poly.

  10. 10.

    We can also increase the stretch factor by using the standard construction of Goldreich-Micali [70, Sect. 3.3.2]. In this case the locality of G′ will be d ⌈(c′−1)/(c−1)⌉.

  11. 11.

    The seminal work of [86] gives a polynomial-time transformation which can be implemented in NC 1 only in special cases, e.g., when the OWF is one-to-one or “regular”, or in a nonuniform setting where an additional nonuniform advice of logarithmic length is employed by the construction. (See [82, 86] and [15, Remark 6.6].) Indeed, in older versions of this section [15], which predates [83] the following results (Theorem 4.8, Remark 4.5) were obtained only for the case of regular OWFs.

  12. 12.

    Viola, in a concurrent work [138], obtains an AC 0 reduction of this type.

  13. 13.

    Note that there exists a PRG with locality 3 if and only if there exists a PRG with degree 2. The “if” direction follows from Lemma 4.2 and Lemma 4.7, while the “only if” direction follows from Claim 3.1 and the fact that each output of an NC 0 PRG must be balanced.

  14. 14.

    In fact, the generator of [112, Theorem 13] is in \(\mathrm{nonuniform}\mbox {-}\mathbf{NC}^{0}_{5}\) (and it has a slightly superlinear stretch). However, a similar construction gives an ε-biased generator in uniform NC 0 with degree 2 and linear stretch. (The locality of this generator is large but constant.) This can be done by replacing the probabilistic construction given in [112, Lemma 12] with a uniform construction of constant-degree bipartite expander with some “good” expansion properties – such a construction is given in [44, Theorem 7.1].

  15. 15.

    A degree 1 generator contains more than n linear functions over n variables, which must be linearly dependent and thus biased. The non-existence of a 2-local generator follows from the fact that every nonlinear function of two input bits is biased.

  16. 16.

    Indeed, in the current model of (non-uniform) space-bounded computation with one-way access to the input (and two-way access to the advice), there exist a boolean function \(\hat{M}\) computable in sublinear space and a linear function S such that the composed function \(\hat{M}(S(\cdot))\) is not computable in sublinear space. For instance, let \(\hat{M}(y_{1},\ldots,y_{2n})=y_{1}y_{2}+y_{3}y_{4}+\cdots+y_{2n-1}y_{2n}\) and S(x 1,…,x 2n )=(x 1,x n+1,x 2,x n+2,…,x n ,x 2n ).

  17. 17.

    Our NC 0 signing algorithm is probabilistic but this is unavoidable. Indeed, while a signing algorithm may generally be deterministic (see [72, p. 506]), an NC 0 signing algorithm cannot be deterministic as in this case an adversary can efficiently learn it and use it to forge messages.

  18. 18.

    A modification of this scheme remains secure even if we replace Send with a randomized encoding which is only statistically-correct. However, in this modification we cannot use the canonical decommitment stage. Instead, the receiver should verify the decommitment by applying the decoder B to \(\hat{c}\) and comparing the result to the computation of the original sender; i.e., the receiver checks whether \(B(\hat{c})\) equals to Send(b,r). A disadvantage of this alternative decommitment is that it does not enjoy the enhanced parallelism feature discussed below. Also the resulting scheme is only statistically binding.

  19. 19.

    Note that unlike the key-generation algorithm, which can be applied “once and for all”, the domain sampler should be invoked for each application of the primitive.

References

  1. Agrawal, M., Allender, E., Rudich, S.: Reductions in circuit complexity: an isomorphism theorem and a gap theorem. J. Comput. Syst. Sci. 57(2), 127–143 (1998)

    Article  MathSciNet  Google Scholar 

  2. Ajtai, M.: Generating hard instances of lattice problems. In: Proc. 28th STOC, pp. 99–108 (1996). Full version in Electronic Colloquium on Computational Complexity (ECCC)

    Google Scholar 

  3. Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proc. of 29th STOC, pp. 284–293 (1997)

    Google Scholar 

  4. Alekhnovich, M.: More on average case vs approximation complexity. In: Proc. of 44th FOCS, pp. 298–307 (2003)

    Google Scholar 

  5. Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0. SIAM J. Comput. 36(4), 845–888 (2006). Preliminary version in Proc. of 45th FOCS, 2004

    Article  MATH  MathSciNet  Google Scholar 

  6. Babai, L., Nisan, N., Szegedy, M.: Multiparty protocols and logspace-hard pseudorandom sequences. In: Proc. of 21st STOC, pp. 1–11 (1989)

    Google Scholar 

  7. Barrington, D.A.: Bounded-width polynomial-size branching programs recognize exactly those languages in NC1. In: Proc. of 18th STOC, pp. 1–5 (1986)

    Google Scholar 

  8. Blum, M.: Coin flipping by telephone: a protocol for solving impossible problems. SIGACT News 15(1), 23–27 (1983)

    Article  Google Scholar 

  9. Blum, M., Goldwasser, S.: An efficient probabilistic public-key encryption scheme which hides all partial information. In: Advances in Cryptology: Proc. of CRYPTO ’84. LNCS, vol. 196, pp. 289–302 (1985)

    Chapter  Google Scholar 

  10. Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13, 850–864 (1984). Preliminary version in FOCS 82

    Article  MATH  MathSciNet  Google Scholar 

  11. Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing chosen ciphertext security of encryption schemes. In: Advances in Cryptology: Proc. of CRYPTO ’03. LNCS, vol. 2729, pp. 565–582 (2003)

    Google Scholar 

  12. Capalbo, M., Reingold, O., Vadhan, S., Wigderson, A.: Randomness conductors and constant-degree lossless expanders. In: Proc. of 34th STOC, pp. 659–668 (2002)

    Google Scholar 

  13. Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2), 230–261 (1988)

    Article  MATH  MathSciNet  Google Scholar 

  14. Cramer, R., Fehr, S., Ishai, Y., Kushilevitz, E.: Efficient multi-party computation over rings. In: Advances in Cryptology: Proc. of EUROCRYPT ’03, pp. 596–613 (2003)

    Chapter  Google Scholar 

  15. Cryan, M., Miltersen, P.B.: On pseudorandom generators in NC0. In: Proc. of 26th MFCS (2001)

    Google Scholar 

  16. Damgård, I.B.: Collision free hash functions and public key signature schemes. In: Proc. of Eurocrypt’87, pp. 203–216 (1988)

    Google Scholar 

  17. Damgård, I.B., Pedersen, T.P., Pfitzmann, B.: On the existence of statistically hiding bit commitment schemes and fail-stop signatures. In: Advances in Cryptology: Proc. of CRYPTO ’93. LNCS, vol. 773, pp. 250–265 (1994)

    Chapter  Google Scholar 

  18. Feigenbaum, J.: Locally random reductions in interactive complexity theory. In: Advances in Computational Complexity Theory. DIMACS Series on Discrete Mathematics and Theoretical Computer Science, vol. 13, pp. 73–98 (1993)

    Google Scholar 

  19. Gamal, T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Advances in Cryptology: Proc. of CRYPTO ’84. LNCS, vol. 196, pp. 10–18 (1985). Also published in IEEE Transactions on Information Theory IT-31(4) (1985)

    Chapter  Google Scholar 

  20. Goldberg, A.V., Kharitonov, M., Yung, M.: Lower bounds for pseudorandom number generators. In: Proc. of 30th FOCS, pp. 242–247 (1989)

    Google Scholar 

  21. Goldreich, O.: Modern Cryptography, Probabilistic Proofs and Pseudorandomness. Algorithms and Combinatorics, vol. 17. Springer, Berlin (1998)

    Google Scholar 

  22. Goldreich, O.: Candidate one-way functions based on expander graphs. Electron. Colloq. Comput. Complex. 7, 090 (2000)

    Google Scholar 

  23. Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, Cambridge (2001)

    Book  Google Scholar 

  24. Goldreich, O.: Foundations of Cryptography: Basic Applications. Cambridge University Press, Cambridge (2004)

    Book  Google Scholar 

  25. Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. Electron. Colloq. Comput. Complex. 96, 042 (1996)

    Google Scholar 

  26. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33, 792–807 (1986)

    Article  MathSciNet  Google Scholar 

  27. Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(2), 167–189 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  28. Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: Proc. of 21st STOC, pp. 25–32 (1989)

    Google Scholar 

  29. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984). Preliminary version in Proc. of STOC ’82

    Article  MATH  MathSciNet  Google Scholar 

  30. Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. In: Advances in Cryptology: Proc. of CRYPTO ’06, pp. 22–40 (2006)

    Google Scholar 

  31. Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: Proc. of 42nd STOC, pp. 437–446 (2010)

    Google Scholar 

  32. Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Advances in Cryptology: Proc. of CRYPTO ’96. LNCS, vol. 1109, pp. 201–215 (1996)

    Google Scholar 

  33. Håstad, J.: One-way permutations in NC0. Inf. Process. Lett. 26, 153–155 (1987)

    Article  MATH  Google Scholar 

  34. Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    Article  MATH  MathSciNet  Google Scholar 

  35. Hsiao, C.Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Advances in Cryptology: Proc. of CRYPTO ’04. LNCS, vol. 3152, pp. 92–105 (2004)

    Google Scholar 

  36. Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: Proc. of 30th FOCS, pp. 230–235 (1989)

    Google Scholar 

  37. Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptol. 9, 199–216 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  38. Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation. In: Proc. of 41st FOCS, pp. 294–304 (2000)

    Google Scholar 

  39. Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Proc. of 29th ICALP, pp. 244–256 (2002)

    Google Scholar 

  40. Kharitonov, M.: Cryptographic hardness of distribution-specific learning. In: Proc. of 25th STOC, pp. 372–381 (1993)

    Google Scholar 

  41. Kilian, J.: Founding cryptography on oblivious transfer. In: Proc. of 20th STOC, pp. 20–31 (1988)

    Google Scholar 

  42. Linial, N., Mansour, Y., Nisan, N.: Constant depth circuits, Fourier transform, and learnability. J. ACM 40(3), 607–620 (1993). Preliminary version in Proc. of 30th FOCS, 1989

    MATH  MathSciNet  Google Scholar 

  43. Mossel, E., Shpilka, A., Trevisan, L.: On ε-biased generators in NC0. In: Proc. of 44th FOCS, pp. 136–145 (2003)

    Google Scholar 

  44. Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4, 151–158 (1991)

    MATH  MathSciNet  Google Scholar 

  45. Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004). Preliminary version in Proc. of 38th FOCS, 1997

    MATH  MathSciNet  Google Scholar 

  46. Nisan, N.: Pseudorandom generators for space-bounded computation. Combinatorica 12(4), 449–461 (1992)

    Article  MATH  MathSciNet  Google Scholar 

  47. Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Advances in Cryptology: Proc. of CRYPTO ’91. LNCS, vol. 576, pp. 129–149 (1991)

    Google Scholar 

  48. Rabin, M.O.: Digitalized signatures and public key functions as intractable as factoring. Technical Report 212, LCS, MIT (1979)

    Google Scholar 

  49. Regev, O.: New lattice based cryptographic constructions. In: Proc. of 35th STOC, pp. 407–416 (2003)

    Google Scholar 

  50. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MATH  MathSciNet  Google Scholar 

  51. Viola, E.: The complexity of constructing pseudorandom generators from hard functions. Comput. Complex. 13(3–4), 147–188 (2005)

    Article  MathSciNet  Google Scholar 

  52. Viola, E.: On constructing parallel pseudorandom generators from one-way functions. In: Proc. of 20th Conference on Computational Complexity (CCC), pp. 183–197 (2005)

    Google Scholar 

  53. Yao, A.C.: Theory and application of trapdoor functions. In: Proc. of 23rd FOCS, pp. 80–91 (1982)

    Google Scholar 

  54. Yao, A.C.: How to generate and exchange secrets. In: Proc. of 27th FOCS, pp. 162–167 (1986)

    Google Scholar 

  55. Yu, X., Yung, M.: Space lower-bounds for pseudorandom-generators. In: Proc. of 9th Structure in Complexity Theory Conference, pp. 186–197 (1994)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electrical Engineering, Tel Aviv University, Tel Aviv, Israel

    Benny Applebaum

Authors
  1. Benny Applebaum
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Applebaum, B. (2014). Cryptography in NC 0 . In: Cryptography in Constant Parallel Time. Information Security and Cryptography. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17367-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17367-7_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17366-0

  • Online ISBN: 978-3-642-17367-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation