Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

A central objective in the theory of cryptography is to classify the relative complexity of various cryptographic tasks. One common way of arguing that task B is of comparable easiness to task A is to give a black-box implementation of B using A as a primitive. Notable examples include the construction of pseudorandom generators from one-way permutations [GL89] and one-way functions [HILL99, HRV10].

But how should we argue that task B is “more complex” than task A? In the generic setting, one looks for the existence of a black-box separation [IR89, RTV04], or a lower bound on the query complexity of a black-box reduction [GT00]. However such black box impossibility results are not always a good indicator of the relative complexity of the two tasks in the real world (under suitable complexity assumptions). For example, although collision-resistant hash functions cannot be constructed from one-way functions in a black-box manner [Sim98], both objects have simple, local (\(\mathrm {NC}^0\)) implementations under standard assumptions [AIK07].

An alternative way to argue that task B is more complex than task A is to provide a concrete complexity model in which one can implement A (under plausible assumptions), but not B. For example, Applebaum et al. [AIK07] show that under plausible complexity assumptions, nontrivial pseudorandom can be implemented in the complexity class \(\mathrm {NC}^0\). However, it is not difficult to see that this class does not contain pseudorandom functions; in fact, Linial, Mansour, and Nisan [LMN93] show that pseudorandom functions cannot be implemented even in \(\mathrm {AC}^0\). Taken together, these results may be viewed as concrete evidence that pseudorandom functions are more complex than pseudorandom generators, despite the existence of a black-box reduction [GGM86] and the lack of lower bounds on the complexity of such reductions [MV11].

In this work we give concrete complexity-theoretic evidence that homomorphic evaluation of essentially any non-trivial functionality is more complex than the basic cryptographic operations of key generation, encryption, and decryption. Our main result (Theorem 2) shows that homomorphic evaluation of any non-trivial functionality (for example the AND function) that depends on sufficiently many inputs cannot be implemented by circuits of constant depth and subexponential size with respect to any CPA secure encryption scheme. In Sect. 4 we show that encryption schemes in \(\mathrm {AC}^0\) of super-polynomial CPA security exist assuming Learning Noisy Parities is exponentially hard.

Thus constant-depth circuits provide sufficient computational power for implementing operations in both ordinary private and public-key encryption schemes (under a previously studied assumption), but not for realizing homomorphic evaluation of any non-trivial functionality.

2 Definitions

In this section we give a definition of what it means for an algorithm E to homomorphically evaluate a given functionality f. A fairly weak requirement is that a homomorphic evaluator for \(f(m_1, \dots , m_k)\) should take as inputs encryptions of \(m_1, \dots , m_k\) and output a ciphertext that decrypts to \(f(m_1, \dots , m_k)\).

We will allow for the evaluation algorithm to err on some fraction of the encryptions. This takes into account the possibility that the encryption scheme itself may produce incorrect encryptions with some probability.

Definition 1

Let \((\mathbf {Gen}, \mathbf {Enc}, \mathbf {Dec})\) be a private-key encryption scheme over message set \(\varSigma \) with ciphertexts in \(\{0,1\}^n\). We say a circuit E is a homomorphic evaluator of \(f:\varSigma ^k \rightarrow \varSigma \) with error \(\delta \) if for all \(m_1, \ldots , m_k \in \varSigma \),

$$\begin{aligned} \mathrm {Pr}[\mathbf {Dec}_{SK}(E(\mathbf {Enc}_{SK}(m_1, R_1), \ldots , \mathbf {Enc}_{SK}(m_k, R_k))) = f(m_1, \ldots , m_k)] \ge 1 - \delta , \end{aligned}$$

where \(SK \sim \mathbf {Gen}\) is a uniformly chosen secret key and \(R_1, \dots , R_k\) are independent random seeds.

In the public-key setting, we are given an encryption scheme \((\mathbf {Gen}, \mathbf {Enc}, \mathbf {Dec})\) and require that

figure a

where \((PK, SK) \sim \mathbf {Gen}\) is a random key pair.

We point out one challenge that this natural definition poses in the context of ruling out the existence of homomorphic evaluators. When k is much smaller than n, the definition allows for plausible encryption schemes that admit trivial homomorphic evaluators, by “outsourcing” the homomorphic evaluation to the decryption algorithm. For example suppose that the meaningful portion of an encryption is only captured in the first n / k bits of the ciphertext. Then the homomorphic evaluator can simply copy the meaningful portion of its k encryptions in non-overlapping parts of the output. Upon seeing a ciphertext of this form, the decryption algorithm can easily compute the value \(f(m_1, \dots , m_k)\) by first decrypting the ciphertext corresponding to each of the k encryptions and then evaluating f.

Thus our negative result will only apply to functions whose number of relevant inputs k is sufficiently large in terms of n. Beyond this requirement, we do not make any assumption on f.

The requirement we make on the encryption scheme is CPA message indistinguishability. A private-key encryption scheme is \((s, d, \varepsilon )\) CPA message indistinguishable if for every pair of messages \(m, m' \in \varSigma \) and every distinguishing oracle circuit \(D^?\) of size s and depth d,

figure b

In the public key setting CPA security follows from ordinary message indistinguishability:

$$\begin{aligned} \vert \mathrm {Pr}_{PK, R}[D(PK, \mathbf {Enc}_{PK}(m, R)) = 1] - \mathrm {Pr}_{PK, R}[D(PK, \mathbf {Enc}_{PK}(m', R)) = 1]\vert \le \varepsilon . \end{aligned}$$

3 Homomorphic Evaluation Requires Depth

Theorem 2

Suppose \((\mathbf {Gen}, \mathbf {Enc}, \mathbf {Dec})\) is an \((2s\,+\,k\,+\,O(1), d\,+\,1, 1/6(k\,+\,1))\) CPA message indistinguishable private-key (resp. public-key) encryption scheme. Let E be a homomorphic evaluator of size s and depth d with error at most 1 / 3 for some \(f: \varSigma ^k \rightarrow \varSigma \) that depends on all of its inputs with respect to this scheme. Then \(s > 2^{\varOmega ((k/6n)^{1/(d-1)})}\).

For notational simplicity, we present the proof for the private key variant. Since f depends on all its inputs, for every \(i\in [k]\) there is a pair of messages m and \(m'\) that differ only in coordinate i such that \(f(m) \ne f(m')\). Now suppose E is a homomorphic evaluator for f with error 1 / 3. Then

$$\begin{aligned} \mathrm {Pr}[\mathbf {Dec}(E(\mathbf {Enc}(m_1, R_1), \ldots , \mathbf {Enc}(m_i, R_i), \ldots , \mathbf {Enc}(m_k, R_k))) \ne f(m)] \le 1/3 \end{aligned}$$

and

$$\begin{aligned} \mathrm {Pr}[\mathbf {Dec}(E(\mathbf {Enc}(m_1, R_1), \ldots , \mathbf {Enc}(m_i', R_i'), \ldots , \mathbf {Enc}(m_k, R_k))) \ne f(m')] \le 1/3, \end{aligned}$$

where the probability is taken over the choice of secret key SK (which we omit to simplify notation) and the randomness \(R_1, \ldots , R_i, R_i', \ldots , R_k\) used in the encryption. Since \(f(m) \ne f(m')\), it follows that

figure c

Therefore it must be that

figure d

By CPA message indistinguishability and a hybrid argument, we can replace \(m_1, \ldots , m_i, m_i', \ldots , m_k\) by 0 to obtain

$$\begin{aligned}&\mathrm {Pr}[E(\mathbf {Enc}(0, R_1), \ldots , \mathbf {Enc}(0, R_i), \ldots , \mathbf {Enc}(0, R_k)) \nonumber \\&\qquad \qquad \qquad \ne E(\mathbf {Enc}(0, R_1), \ldots , \mathbf {Enc}(0, R_i'), \ldots , \mathbf {Enc}(0, R_k))] \ge 1/6. \end{aligned}$$
(1)

Lemma 3

Let \(D_1, \dots , D_k\) be any distributions over \(\{0,1\}^n\). Let \(g: (\{0,1\}^n)^k \rightarrow \{0,1\}\) be a circuit of size s and depth d where \(s \le 2^{(\varepsilon k)^{1/(d-1)}/K}\) for some absolute constant K. Then

$$\begin{aligned} \mathrm {Pr}[g(X_1, \ldots , X_i, \ldots , X_k) \ne g(X_1, \ldots , X_i', \ldots , X_k)] < \varepsilon \end{aligned}$$

where the randomness is taken over the choice of \(i \sim [k]\) and independent samples \(X_1 \sim D_1, \dots , X_i, X_i' \sim D_i, \dots , X_k \sim D_k\).

We apply this lemma with \(D_i\) equal to the distribution of encryptions of 0 and \(\varepsilon = 1/6n\) to each of the n outputs of E and take a union bound to conclude that (1) is violated unless \(s > 2^{\varOmega ((k/6n)^{1/(d-1)})}\).

Proof

(of Lemma 3 ). Fix any pair \(Z, Z' \in (\{0,1\}^n)^k\). For any \(w \in \{0,1\}^k\), let \(Z_w \in (\{0,1\}^n)^k\) be the string such that

$$\begin{aligned} \text {the}~i\text {-th block of}~Z_w = {\left\{ \begin{array}{ll} \text {the}~i\text {-th block of}~Z, &{}\text {if}~w_i = 0 \\ \text {the}~i\text {-th block of}~Z', &{}\text {if}~w_i = 1. \end{array}\right. } \end{aligned}$$

Let \(h_{Z, Z'}(w) = g(Z_w)\). Then h is of size at most s and depth at most d. By Boppana [Bop97], for every Z and \(Z'\) we have

$$\begin{aligned} \mathrm {Pr}_{\begin{array}{c} W, i \end{array}}[h_{Z, Z'}(W) \ne h_{Z, Z'}(W + e_i)] \le (K \log s)^{d-1}/k \end{aligned}$$

for some constant K, where W and i are uniform over \(\{0,1\}^k\) and [k] respectively, and \(e_i\) is the i-th indicator vector. Therefore for \(Z, Z'\) sampled independently from \(D_1 \times \dots \times D_k\) we can rewrite \(\mathrm {Pr}[g(X_1, \ldots , X_i, \ldots , X_k) \ne g(X_1, \ldots , X_i', \ldots , X_k)]\) as

$$\begin{aligned} \mathrm {E}_{Z, Z'} [\mathrm {Pr}_{W, i}[h_{Z, Z'}(W) \ne h_{Z, Z'}(W + e_i)]]&\le \mathrm {E}_{Z, Z'}[(K \log s)^{d-1}/k] \\&= (K \log s)^{d-1}/k. \end{aligned}$$

It follows that if this probability is at most \(\varepsilon \), then \(s \le 2^{(\varepsilon k)^{1/(d-1)}/K}\).

Lemma 3 bounds the total influence of shallow circuits under independent inputs chosen from an arbitrary distribution. Our proof is based on ideas of Blais, O’Donnell, and Wimmer [BOW10], who bound the noise sensitivity of such circuits.

4 On CPA-Secure Encryption Schemes in \(\mathrm {AC}^0\)

In this section we show that encryption schemes in \(\mathrm {AC}^0\) of super-polynomial CPA security exist assuming Learning Noisy Parities over \(\{0,1\}^n\) requires time \(2^{\varOmega (n^\delta )}\) for some constant \(\delta > 0\).

To begin with, we observe that asymptotically super-polynomial security cannot be achieved by \(\mathrm {NC}^0\) decryption circuits: If every output of the decryption circuit depends on at most d bits of the ciphertext, then for any message m the decryption circuit on the distribution of encryptions of m can be PAC-learned in time \(O_d(n^d)\), violating CPA security.

We obtain candidate encryption schemes in \(\mathrm {AC}^0\) by applying the following reduction:

Lemma 4

For every \(d > 0\), every (public or private key) encryption scheme of size S and depth D can be implemented in size \(S2^D \cdot 2^{d \cdot D \cdot S^{1/d}}\) and depth \(2d\,+\,1\).

In particular, encryption schemes in the class \(\mathrm {NC}^2\) can be simulated by constant-depth circuit families of size \(2^{O(n^{\varepsilon })}\) for any constant \(\varepsilon > 0\).

Two such schemes are the private-key one of Gilbert et al. [GRS08] and the public-key one of Alekhnovich [Ale11, Cryptosystem1]. The key generation, encryption, and decryption algorithms for these schemes apply linear algebra over \(\mathbb F_2\) and thus admit \(\mathrm {NC}^2\) implementations [Ber84]. The security of these two schemes is based on the hardness of Learning Noisy Parities.

Noisy Parities over \(\mathbb F_2^n\) with noise rate \(\eta \) can be learned by brute force in time \(\mathrm {poly}(n) \cdot \left( {\begin{array}{c}n\\ \eta n\end{array}}\right) \). A slight improvement in the exponent is achievable for high noise rates using the algorithm of Blum, Kalai, and Wasserman [BKW03]. Its running time is \(2^{\varTheta (n/\log n)}\). Assuming noisy parities are hard to learn in time \(2^{\varOmega (n^\delta )}\) for some constant \(\delta > 0\), it follows from Lemma 4 that the above schemes have constant-depth implementations whose security is super-polynomial in their size. The error rate can be assumed constant in the cryptosystem of Gilbert et al. and \(1/\sqrt{n}\) in the cryptosystem of Alekhnovich.

The cryptosystems of Gilbert et al. and Alekhnovich have noticeable encryption error. The error can be reduced to negligible by encrypting the message independently multiple times. While some of the multiple encryptions may be erroneous, with all but negligible probability at least 2/3 of them will be correct. The errors can be corrected by taking approximate majority at the decryption stage, which can be implemented using circuits of depth 3 [Ajt83], thereby preserving the constant depth complexity of the implementation.

Proof

(of Lemma 4 ). We show that the conclusion holds for every circuit of size S and depth D, so in particular it holds for the key generation, encryption, and decryption circuits (where the circuits are viewed as functions of both their input and their randomness). This is folklore and was recently used in [LV15]. We sketch the proof for completeness.

First, every circuit of size S and depth D can be simulated by a branching program of length S and width \(2^D\) by traversing the circuit in depth first order while maintaining the value of the evaluated subtree at each level.

Second, for every k, every branching program of length S and width W can be written as an OR of \(W^k\) ANDs of k branching programs of length S / k and width W. This representation is obtained by factoring the branching program over its states at time S / k, 2S / k, up to \((k-1)S/k\).

Applying this transformation recursively d times, we obtain a simulation of a size S, depth D circuit by a size \((kW^k)^d\), depth 2d circuit whose inputs are branching programs of length \(S/k^d\) and width w. Each such branching program can be trivially simulated by a CNF of size \(W^{S/k^d}\). Putting this together, we obtain a simulation of size S, depth D circuits by size \(k^d W^{dk + S/k^d}\), depth \(2d\,+\,1\) circuits. Setting \(k = S^{1/d}\) proves the lemma.