Computationally Private Randomizing Polynomials and Their Applications

Transcription

1 Computatonally Prvate Randomzng Polynomals and Ther Applcatons Benny Applebaum Yuval Isha Eyal Kushlevtz Computer Scence Department, Technon March 5, 2006 Abstract Randomzng polynomals allow to represent a functon f(x) by a low-degree randomzed mappng ˆf(x, r) whose output dstrbuton on an nput x s a randomzed encodng of f(x). It s known that any functon f n unform- L/poly (and n partcular n NC 1 ) can be effcently represented by degree-3 randomzng polynomals. Such a degree-3 representaton gves rse to an NC 0 4 representaton, n whch every bt of the output depends on only 4 bts of the nput. In ths paper, we study the relaxed noton of computatonally prvate randomzng polynomals, where the output dstrbuton of ˆf(x, r) should only be computatonally ndstngushable from a randomzed encodng of f(x). We construct degree-3 randomzng polynomals of ths type for every polynomal-tme computable functon, assumng the exstence of a cryptographc pseudorandom generator (PRG) n unform- L/poly. (The latter assumpton s mpled by most standard ntractablty assumptons used n cryptography.) Ths result s obtaned by combnng a varant of Yao s garbled crcut technque wth prevous nformaton-theoretc constructons of randomzng polynomals. We then present the followng applcatons: Relaxed assumptons for cryptography n NC 0. Assumng a PRG n unform- L/poly, the exstence of an arbtrary publc-key encrypton, commtment, or sgnature scheme mples the exstence of such a scheme n NC 0 4. Prevously, one needed to assume the exstence of such schemes n unform- L/poly or smlar classes. New parallel reductons between cryptographc prmtves. We show that even some relatvely complex cryptographc prmtves, ncludng (stateless) symmetrc encrypton and dgtal sgnatures, are NC 0 -reducble to a PRG. No parallel reductons of ths type were prevously known, even n NC. Our reductons make a non-black-box use of the underlyng PRG. Applcaton to secure mult-party computaton. Assumng a PRG n unform- L/poly, the task of computng an arbtrary (polynomal-tme computable) functon wth computatonal securty can be reduced to the task of securely computng degree-3 polynomals (say, over GF(2)) wthout further nteracton. Ths gves rse to new, conceptually smpler, constant-round protocols for general functons. A prelmnary verson of ths paper appeared n the proceedngs of CCC Research supported by grant no. 36/03 from the Israel Scence Foundaton.

2 1 Introducton To what extent can one smplfy the task of computng a functon f by settlng for computng some (possbly randomzed) encodng of ts output? The study of ths queston was ntated n the context of secure mult-party computaton [IK00, IK02], and has recently found applcatons to parallel constructons of cryptographc prmtves [AIK04]. In ths paper we consder a relaxed varant of ths queston and present some new constructons and cryptographc applcatons. The above queston can be formally captured by the followng noton. We say that a functon ˆf(x, r) s a randomzed encodng of a functon f(x), f ts output dstrbuton depends only on the output of f. More precsely, we requre that: (1) gven ˆf(x, r) one can effcently recover f(x), and (2) gven f(x) one can effcently sample from the dstrbuton of ˆf(x, r) nduced by a unform choce of r. Ths noton of randomzed encodng defnes a nontrval relaxaton of the usual noton of computng, and thus gves rse to the followng queston: Can we encode complex functons f by smple functons ˆf? Ths queston s motvated by the fact that n many cryptographc applcatons, ˆf can be securely used as a substtute for f [IK00, AIK04]. For nstance, f f s a one-way functon then so s ˆf. It should be noted that dfferent applcatons motvate dfferent nterpretatons of the term smple above. In the context of mult-party computaton, one s typcally nterested n mnmzng the algebrac degree of ˆf, vewng t as a vector of multvarate polynomals over a fnte feld. In ths context, ˆf was referred to as a representaton of f by randomzng polynomals [IK00]. In other contexts t s natural to vew ˆf as a functon over bnary strngs and attempt to mnmze ts parallel tme complexty [AIK04]. From here on, we wll refer to ˆf as a randomzed encodng of f (or smply encodng for short) except when we wsh to stress that we are nterested n mnmzng the degree. It was shown n [IK00, IK02] that every functon f n L/poly 1 can be effcently represented by degree- 3 randomzng polynomals over GF(2). 2 Moreover, every degree-3 encodng can n turn be converted nto an NC 0 encodng wth localty 4, namely one n whch every bt of the output depends on only 4 bts of the nput [AIK04]. A major queston left open by the above results s whether every polynomal-tme computable functon admts an encodng n NC 0. In ths work we consder a relaxed noton of computatonally prvate randomzed encodngs, where requrement (2) above s relaxed to allow samplng from a dstrbuton whch s computatonally ndstngushable from ˆf(x, r). As t turns out, computatonally prvate encodngs are suffcent for most applcatons. Thus, settlng the latter queston for the relaxed noton may be vewed as a second-best alternatve. 1.1 Overvew of Results and Technques We construct a computatonally prvate encodng n NC 0 for every polynomal-tme computable functon, assumng the exstence of a mnmal cryptographc pseudorandom generator (PRG) [BM84, Yao82], namely one that stretches ts seed by just one bt, n L/poly. 3 We refer to the latter assumpton as the Easy PRG (EPRG) assumpton. (Ths assumpton can be slghtly relaxed, e.g., to also be mpled by the exstence of a PRG n NL/poly; see Remark 4.16.) We note that EPRG s a very mld assumpton. In partcular, t s 1 For brevty, all complexty classes are assumed to be polynomal-tme unform by default. In partcular, the class L/poly s assumed to be polynomal-tme unform. (See Secton 2 for a defnton of ths class.) The class L/poly contans L/poly and NC 1 and s contaned n NC 2. In the non-unform settng nonunform- L/poly also contans nonunform-nl/poly [Wg94]. However, such an ncluson s not known to hold n the unform settng. 2 Ths result generalzes to arbtrary fnte felds [IK02] or even rngs [CFIK03], allowng effcent degree-3 representatons of varous countng logspace classes. 3 It s not known whether such a mnmal PRG mples a PRG n the same class that stretches ts seed by a lnear or superlnear amount. 2

3 mpled by most concrete ntractablty assumptons commonly used n cryptography, such as ones related to factorng, dscrete logarthm, or lattce problems (see [AIK04, Remark 6.6]). It s also mpled by the exstence n L/poly of a one-way permutaton or, usng [HILL99], of any regular one-way functon (OWF);.e., a OWF f = {f n } that maps the same (polynomal-tme computable) number of elements n {0, 1} n to every element n Im(f n ). (Ths s the case, for nstance, for any one-to-one OWF.) 4 The NC 0 encodng we obtan under the EPRG assumpton has degree 3 and localty 4. Its sze s nearly lnear n the crcut sze of the encoded functon. We now gve a hgh-level overvew of our constructon. Recall that we wsh to encode a polynomaltme computable functon by an NC 0 functon. To do ths we rely on a varant of Yao s garbled crcut technque [Yao86]. Roughly speakng, Yao s technque allows to effcently encrypt a boolean crcut n a way that enables to compute the output of the crcut but hdes any other nformaton about the crcut s nput. These propertes resemble the ones requred for randomzed encodng. 5 Moreover, the garbled crcut enjoys a certan level of localty (or parallelsm) n the sense that gates are encrypted ndependently of each other. Specfcally, each encrypted gate s obtaned by applyng some cryptographc prmtve (typcally, a hgh-stretch PRG or an encrypton scheme wth specal propertes), on a constant number of (long) random strngs and, possbly, a sngle nput bt. However, the overall crcut mght not have constant localty (t mght not even be computable n NC) as the cryptographc prmtve beng used n the gates mght be sequental n nature. Thus, the bottleneck of the constructon s the parallel tme complexty of the prmtve beng used. Recently, t was shown n [AIK04] (va nformaton theoretc randomzed encodng) that under relatvely mld assumptons many cryptographc prmtves can be computed n NC 0. Hence, we can try to plug one of these prmtves nto the garbled crcut constructon n order to obtan an encodng wth constant localty. However, a drect use of ths approach would requre stronger assumptons 6 than EPRG and result n an NC 0 encodng wth nferor parameters. Instead, we use the followng varant of ths approach. Our constructon conssts of three steps. The frst step s an NC 0 mplementaton of one-tme symmetrc encrypton usng a mnmal PRG as an oracle. (Such an encrypton allows to encrypt a sngle message whose length may be polynomally larger than the key. Note that we are only assumng the exstence of a mnmal PRG,.e., a PRG that stretches ts seed only by one bt. Such a PRG cannot be drectly used to encrypt long messages.) The second and man step of the constructon reles on a varant of Yao s garbled crcut technque[yao86] to obtan an encodng n NC 0 whch uses one-tme symmetrc encrypton as an oracle. By combnng these two steps we get an encodng that can be computed by an NC 0 crcut whch uses a mnmal PRG as an oracle. Fnally, usng the EPRG assumpton and [AIK04], we apply a fnal step of nformaton-theoretc encodng to obtan an encodng n NC 0 wth degree 3 and localty 4. The above result gves rse to several types of cryptographc applcatons, dscussed below Relaxed assumptons for cryptography n NC 0 The queston of mnmzng the parallel tme complexty of cryptographc prmtves has been the subject of an extensve body of research (see [NR99, AIK04] and references theren). Pushng parallelsm to the extreme, t s natural to ask whether one can mplement cryptographc prmtves n NC 0. Whle t was 4 Usng [HILL99] or [HHR05] ths regularty requrement can be relaxed. See [AIK04, Footnote 14]. 5 Ths smlarty s not concdental as both concepts were rased n the context of secure multparty computaton. Indeed, an nformaton theoretc varant of Yao s garbled crcut technque was already used n [IK02] to construct low degree randomzed encodng for NC 1 functons. 6 Prevous presentatons of Yao s garbled crcut reled on prmtves that seem less lkely to allow an NC 0 mplementaton. Specfcally, [BMR90, NPS99] requre lnear stretch PRG and [LP04] requres symmetrc encrypton that enjoys some addtonal propertes. 3

4 known that few prmtves, ncludng pseudorandom functons [GGM86], cannot even be mplemented n AC 0 [LMN93], no smlar negatve results were known for other prmtves. Very recently, t was shown n [AIK04] that the exstence of most cryptographc prmtves n NC 0 follows from ther exstence n hgher complexty classes such as L/poly, whch s typcally a very mld assumpton. Ths result was obtaned by combnng the results on (nformaton-theoretc) randomzed encodngs mentoned above wth the fact that the securty of most cryptographc prmtves s nherted by ther randomzed encodng. Usng our constructon of computatonally prvate encodngs, we can further relax the suffcent assumptons for cryptographc prmtves n NC 0. The man observaton s that the securty of most prmtves s also nherted by ther computatonally prvate encodng. Ths s the case even for relatvely sophstcated prmtves such as publc-key encrypton, dgtal sgnatures, (computatonally hdng) commtments, and (nteractve or non-nteractve) zero-knowledge proofs. Thus, gven that these prmtves at all exst, 7 ther exstence n NC 0 follows from the EPRG assumpton, namely from the exstence of a PRG n complexty classes such as L/poly. Prevously (usng [AIK04]), the exstence of each of these prmtves n NC 0 would only follow from the assumpton that ths partcular prmtve can be mplemented n the above classes, a seemngly stronger assumpton than EPRG. It should be noted that we cannot obtan a smlar result for some other prmtves, such as one-way permutatons and collson-resstant hash functons. The results for these prmtves obtaned n [AIK04] rely on certan regularty propertes of the encodng that are lost n the transton to computatonal prvacy Parallel reductons between cryptographc prmtves The results of [AIK04] also gve rse to new NC 0 reductons between cryptographc prmtves. (Unlke the results dscussed n Secton above, here we consder uncondtonal reductons that do not rely on unproven assumptons.) In partcular, known NC 1 -reductons from PRG to one-way permutatons [GL89] or even to more general types of one-way functons [HILL99, Vo05, HHR05] can be encoded nto NC 0 - reductons (see [AIK04, Remark 6.7]). However, these NC 0 -reductons crucally rely on the very smple structure of the NC 1 -reductons from whch they are derved. In partcular, t s not possble to use the results of [AIK04] for encodng general NC 1 -reductons (let alone polynomal-tme reductons) nto NC 0 - reductons. As a surprsng applcaton of our technque, we get a general compler that converts an arbtrary (polynomal-tme) reducton from a prmtve P to a PRG nto an NC 0 -reducton from P to a PRG. Ths apples to all prmtves P that are known to be equvalent to a one-way functon, and whose securty s nherted by ther computatonally-prvate encodng. In partcular, we conclude that symmetrc encrypton, 8 commtment, and dgtal sgnatures are all NC 0 -reducble to a mnmal PRG (hence also to a one-way permutaton or more general types of one-way functons). No parallel reductons of ths type were prevously known, even n NC. The known constructon of commtment from a PRG [Nao91] requres a lnear-stretch PRG (expandng n bts nto n + Ω(n) bts), whch s not known to be reducble n parallel to a mnmal PRG. Other prmtves, such as symmetrc encrypton and sgnatures, were not even known to be reducble n parallel to a polynomal-stretch PRG. For nstance, the only prevous parallel constructon of symmetrc encrypton from a low-level prmtve s 7 Ths condton s redundant n the case of sgnatures and commtments, whose exstence follows from the exstence of a PRG. In Secton we wll descrbe a stronger result for such prmtves. 8 By symmetrc encrypton we refer to (probablstc) stateless encrypton for multple messages, where the partes do not mantan any state nformaton other than the key. If partes are allowed to mantan synchronzed states, symmetrc encrypton can be easly reduced n NC 0 to a PRG. 4

5 based on the parallel PRF constructon of [NR99]. Ths yelds an NC 1 -reducton from symmetrc encrypton to syntheszers, a stronger prmtve than a PRG. Thus, we obtan better parallelsm and at the same tme rely on a weaker prmtve. The prce we pay s that we cannot generally guarantee parallel decrypton. (See Secton 5.2 for further dscusson.) An nterestng feature of the new reductons s ther non-black-box use of the underlyng PRG. That s, the code of the NC 0 -reducton we get (mplementng P usng an oracle to a PRG) depends on the code of the PRG. Ths should be contrasted wth most known reductons n cryptography, whch make a black-box use of the underlyng prmtve. In partcular, ths s the case for the abovementoned NC 0 -reductons based on [AIK04]. (See [RTV04] for a thorough taxonomy of reductons n cryptography.) Applcaton to secure computaton The noton of randomzng polynomals was orgnally motvated by the goal of mnmzng the round complexty of secure mult-party computaton [Yao86, GMW87, BGW88, CCD88]. The man relevant observatons made n [IK00] were that: (1) the round complexty of most general protocols from the lterature s related to the degree of the functon beng computed; and (2) f f s represented by a vector ˆf of degree-d randomzng polynomals, then the task of securely computng f can be reduced to that of securely computng some determnstc degree-d functon ˆf whch s closely related to ˆf. Ths reducton from f to ˆf s fully non-nteractve, n the sense that a protocol for f can be obtaned by nvokng a protocol for ˆf and applyng a local computaton on ts outputs (wthout addtonal nteracton). A useful corollary of our results s that under the EPRG assumpton, the task of securely computng an arbtrary polynomal-tme computable functon f reduces (non-nteractvely) to that of securely computng a related degree-3 functon ˆf. Ths reducton s only computatonally secure. Thus, even f the underlyng protocol for ˆf s secure n an nformaton-theoretc sense, the resultng protocol for f wll only be computatonally secure. (In contrast, prevous constructons of randomzng polynomals mantaned nformatontheoretc securty, but only effcently appled to restrcted functon classes such as L/poly.) Ths reducton gves rse to new, conceptually smpler, constant-round protocols for general functons. For nstance, a combnaton of our result wth the classcal BGW protocol [BGW88] gves a smpler, and n some cases more effcent, alternatve to the constant-round protocol of Beaver, Mcal and Rogaway [BMR90] (though reles on a stronger assumpton). Organzaton. Followng some prelmnares (Secton 2), n Secton 3 we revew prevous notons of randomzed encodng and defne our new noton of computatonally prvate encodng. In Secton 4 we construct a computatonally prvate encodng n NC 0 for every polynomal-tme computable functon. Fnally, applcatons of ths constructon are dscussed n Secton 5. 2 Prelmnares Probablty notaton. We let U n denote a random varable unformly dstrbuted over {0, 1} n. If X s a probablty dstrbuton, or a random varable, we wrte x X to ndcate that x s a sample taken from X. The statstcal dstance between dscrete probablty dstrbutons Y and Y, denoted SD(Y, Y ), s defned as the maxmum, over all functons A, of the dstngushng advantage Pr[A(Y ) = 1] Pr[A(Y ) = 1]. A functon ε( ) s sad to be neglgble f ε(n) < n c for any constant c > 0 and suffcently large n. For two dstrbuton ensembles {X n } n N and {Y n } n N, we wrte {X n } n N {Y n } n N f X n and Y n are dentcally dstrbuted, and say that the two ensembles are statstcally ndstngushable f SD(X n, Y n ) s 5

6 neglgble n n. A weaker noton of closeness between dstrbutons s that of computatonal ndstngushablty: We wrte {X n } n N {Y n } n N f for every (non-unform) polynomal-sze crcut famly {A n }, the c dstngushng advantage Pr[A n (X n ) = 1] Pr[A n (Y n ) = 1] s neglgble. (We wll sometmes smplfy notaton and wrte X n Y n.) By default we adapt ths non-unform noton of ndstngushablty. c However, our results also apply n a unform settng n whch adversares are probablstc polynomal-tme algorthms. We wll rely on several standard facts about computatonal ndstngushablty (cf. [Gol01, Chapter 2]). Fact 2.1 For every dstrbuton ensembles X, Y and Z, f X c Y and Y c Z then X c Z. That s, computatonal ndstngushablty s transtve. The followng fact asserts that computatonal ndstngushablty s preserved under multple ndependent samples: Fact 2.2 Let {X n }, {X n}, {Y n } and {Y n} be dstrbuton ensembles. Suppose that X n Y n and X n Y n. Then (X n X n) c (Y n Y n), where A B denotes the product dstrbuton of A, B (.e., the jont dstrbuton of ndependent samples from A and B). Another basc fact s that computatonal ndstngushablty s preserved under effcent computaton: Fact 2.3 Suppose that that the dstrbuton ensembles {X n } and {Y n } are computatonally ndstngushable. Then for every polynomal-tme computable functon f we have f(x n ) c f(y n ). Consder a case n whch two probablstc (possbly computatonally unbounded) algorthms behave smlarly on every nput, n the sense that ther output dstrbutons are computatonally ndstngushable. The followng two facts deal wth such a stuaton. Fact 2.4 asserts that an effcent procedure that gets an oracle access to one of these algorthms cannot tell whch algorthm t communcates wth. Fact 2.5 asserts that the outputs of these algorthms cannot be dstngushed wth respect to any (not necessarly effcently samplable) nput dstrbuton. These facts wll allow us to argue that, n most applcatons, computatonallyprvate encodngs can be securely used as substtutes for perfectly prvate encodngs. Fact 2.4 Let X and Y be probablstc algorthms such that for every strng famly {z n } where z n {0, 1} n, t holds that X(z n ) c Y (z n ). Then, for any (non-unform) polynomal-tme oracle machne A, t holds that A X (1 n ) c A Y (1 n ) (where A does not have access to the random cons of the gven probablstc oracle). Fact 2.5 Let X and Y be probablstc algorthms such that for every strng famly {z n } where z n {0, 1} n, t holds that X(z n ) c Y (z n ). Then, for every dstrbuton ensemble {Z n } where Z n s dstrbuted over {0, 1} n, we have (Z n, X(Z n )) c (Z n, Y (Z n )). Crcuts. Boolean crcuts are defned n a standard way. That s, we defne a boolean crcut C as a drected acyclc graph wth labeled, ordered vertces of the followng types: (1) nput vertces, each labeled wth a lteral x or x and havng fan-n 0; (2) gate vertces, labeled wth one of the boolean functons AND,OR and havng fan-n 2; (3) output vertces, labeled output and havng fan-n 1 and fan-out 0. The edges of the crcut are referred to as wres. A wre that outgoes from an nput vertex s called an nput wre, and a wre that enters an output vertex s called an output wre. Any nput x {0, 1} n assgns a unque value to each wre n the natural way. The output value of C, denoted C(x), contans the values of the output wres accordng to the gven predefned order. The sze of a crcut, denoted C, s the number of wres n C, and ts depth s the maxmum dstance from an nput to an output (.e. the length of the longest drected path n the graph). 6 c c

7 NC -reductons. A crcut wth an oracle access to a functon g : {0, 1} {0, 1} s a crcut that contans, n addton to the bounded fan-n OR, AND gates, specal oracle gates wth unbounded fan-n that compute the functon g. We say that f : {0, 1} {0, 1} s NC reducble to g, and wrte f NC [g], f f can be computed by a unform famly of polynomal sze, O(log n) depth crcuts wth oracle gates to g. (Oracle gates are treated the same as AND/OR gates when defnng depth.) Note that f f NC [g] and g NC j then f NC +j. Localty and degree. We say that f s c-local f each of ts output bts depends on at most c nput bts. For a constant c, the class nonunform-nc 0 c ncludes all c-local functons. We wll sometmes vew the bnary alphabet as the fnte feld F = GF(2), and say that a functon f has degree d f each of ts output bts can be expressed as a multvarate polynomal of degree (at most) d n the nput bts. Complexty classes. For brevty, we use the (somewhat nonstandard) conventon that all complexty classes are polynomal-tme unform by default. For nstance, NC 0 refers to the class of functons admttng polynomal-tme unform NC 0 crcuts, whereas nonunform-nc 0 refers to the class of functons admttng non-unform NC 0 crcuts. We let NL/poly (resp., L/poly) denote the class of boolean functons computed by NL (resp., L) Turng machnes takng a polynomal-tme unform advce. (The class L/poly contans the classes L/poly and NC 1 and s contaned n NC 2.) We extend boolean complexty classes, such as NL/poly and L/poly, to nclude non-boolean functons by lettng the representaton nclude l(n) log-space Turng machnes, one for each output bt, takng the same unform advce. Smlarly, we denote by P (resp. BPP) the class of functons that can be computed n polynomal tme (resp. probablstc polynomal tme). For nstance, a functon f : {0, 1} n {0, 1} l(n) s n BPP f there exsts a probablstc polynomal-tme machne A such that for every x {0, 1} n t holds that Pr[A(x) f(x)] 2 n, where the probablty s taken over the nternal con tosses of A. 3 Randomzed Encodngs We now revew the notons of randomzed encodng and randomzng polynomals from [IK00, IK02, AIK04], and ntroduce the new computatonally prvate varant dscussed n ths paper. The followng defnton s from [AIK04]. Defnton 3.1 (Randomzed encodng) Let f : {0, 1} n {0, 1} l be a functon. We say that a functon ˆf : {0, 1} n {0, 1} m {0, 1} s s a δ-correct, ε-prvate randomzed encodng of f, f t satsfes the followng: δ-correctness. There exsts an algorthm B, called a decoder, such that for any nput x {0, 1} n, Pr[B( ˆf(x, U m )) f(x)] δ. ε-prvacy. There exsts a randomzed algorthm S, called a smulator, such that for any x {0, 1} n, SD(S(f(x)), ˆf(x, U m )) ε. We refer to the second nput of ˆf as ts random nput, and to m, s as the randomness complexty and the output complexty of ˆf respectvely. The complexty of ˆf s defned to be m + s. We say that ˆf s a representaton (or encodng) of f by degree-d randomzng polynomals f each of ts output bts can be computed by a multvarate polynomal over GF(2) of degree at most d n the nputs. 7

8 Defnton 3.1 naturally extends to nfnte functons f : {0, 1} {0, 1}. In ths case, the parameters l, m, s, δ, ε are all vewed as functons of the nput length n, and the algorthms B, S receve 1 n as an addtonal nput. By default, we requre ˆf to be computable n poly(n) tme whenever f s. In partcular, both m(n) and s(n) are polynomally bounded. We also requre both the decoder and the smulator algorthms to be effcent. Several varants of randomzed encodngs were consdered n [AIK04]. Correctness (resp., prvacy) s sad to be perfect when δ = 0 (resp. ε = 0) or statstcal when δ(n) (resp. ε(n)) s neglgble. In order to preserve the securty of some prmtves (such as pseudorandom generators or one-way permutatons) even perfect correctness and prvacy mght not suffce and addtonal requrements should be ntroduced. An encodng s sad to be balanced f t admts a perfectly prvate smulator S such that S(U l ) U s. It s sad to be stretch preservng f s = l + m. We say that ˆf s a statstcal randomzed encodng of f f t s both statstcally correct and statstcally prvate, and that t s a perfect randomzed encodng f t s perfectly correct and prvate, balanced, and stretch preservng. In ths work, we abandon the nformaton theoretc settng and relax the prvacy requrement to be computatonal. That s, we requre the ensembles S(1 n, f n (x)) and ˆf n (x, U m(n) ) to be computatonally ndstngushable. Defnton 3.2 (Computatonal randomzed encodng) Let f = {f n : {0, 1} n {0, 1} l(n) } n N be a functon famly. We say that the functon famly ˆf = { ˆf n : {0, 1} n {0, 1} m(n) {0, 1} s(n) } n N s a computatonal randomzed encodng of f (or computatonal encodng for short), f t satsfes the followng requrements: Statstcal correctness. There exsts a polynomal-tme decoder B, such that for any n and any nput x {0, 1} n, Pr[B(1 n, ˆf n (x, U m(n) )) f n (x)] δ(n), for some neglgble functon δ(n). Computatonal prvacy. There exsts a probablstc polynomal-tme smulator S, such that for any famly of strngs {x n } n N where x n = n, we have S(1 n, f n (x n )) c ˆf n (x n, U m(n) ). We wll also refer to perfectly correct computatonal encodngs, where the statstcal correctness requrement s strengthened to perfect correctness. In fact, our man constructon yelds a perfectly correct encodng. Remark 3.3 The above defnton uses n both as an nput length parameter and as a cryptographc securty parameter quantfyng computatonal prvacy. When descrbng our constructon, t wll be convenent to use a separate parameter k for the latter, where computatonal prvacy wll be guaranteed as long as k n ɛ for some constant ɛ > 0. The functon classes SREN and PREN were ntroduced n [AIK04] to capture the power of statstcal and perfect randomzed encodngs n NC 0. We defne a smlar class CREN. Defnton 3.4 (The classes CREN, SREN, PREN) The class CREN (resp., SREN, PREN ) s the class of functons f admttng a computatonal (resp., statstcal, perfect) randomzed encodng ˆf n NC 0. (As usual, NC 0 s polynomal-tme unform.) It follows from the defntons that PREN SREN CREN. Moreover, t s known that L/poly PREN and NL/poly SREN [AIK04]. (We cannot use the fact that nonunform-nl/poly nonunform- L/poly [Wg94] to conclude that NL/poly PREN, snce ths ncluson s only known to hold n the non-unform settng.) We end ths secton by consderng the followng ntutve composton property: Suppose we encode f by g, and then vew g as a sngle-argument functon and encode t agan. Then, the resultng functon 8

9 (parsed approprately) s an encodng of f. The followng lemma was stated n [AIK04] for the statstcal and perfect varants of randomzed encodngs; we extend t here to the computatonal varant. Lemma 3.5 (Composton) Let g(x, r g ) be a computatonal encodng of f(x) and h((x, r g ), r h ) a computatonal encodng of g((x, r g )), vewng the latter as a sngle-argument functon. Then, the functon ˆf(x, (r g, r h )) def = h((x, r g ), r h ) s a computatonal encodng of f(x) whose random nputs are (r g, r h ). Moreover, f g, h are perfectly correct then so s ˆf. Proof: We start wth correctness. Let B g be a δ g (n)-correct decoder for g and B h a δ h (n+m g (n))- correct decoder for h, where m g (n) s the randomness complexty of g. Defne a decoder B for ˆf by B(ŷ) = B g (B h (ŷ)). The decoder B errs only f ether B h or B g err. Thus, by the unon bound we have for every x {0, 1} n, Pr [B(1 n, ˆf(x, (r g, r h )) f(x)] Pr [B h (1 n, h((x, r g ), r h )) g(x, r g )] + Pr[B g (1 n, g(x, r g )) f(x)] r g,r h r g,r h r g δ h (n+m g (n)) + δ g (n), and so B s perfectly correct f both the decoders of h and g are perfectly correct. Moreover, snce m g (n) s polynomal n n, f the decoders of h and g are statstcally correct then so s B. To prove computatonal prvacy, we agan compose the computatonally prvate smulators of g and h, ths tme n an opposte order. Specfcally, let S g be a computatonally-prvate smulator for g and S h be computatonally-prvate smulator for h. We defne a smulator S for ˆf by S(y) = S h (S g (y)). Lettng m g (n) and m h (n) denote the randomness complexty of g and h, respectvely, and {x n } n N be a famly of strngs where x n = n, we have, S h (S g (f(x n ))) c S h (g(x n, U mg(n))) (snce g s a comp. prvate encodng of f and by Fact 2.3) c h((x n, U mg (n)), U mh (n)) (snce h s a comp. prvate encodng of g and by Fact 2.5). Hence, the transtvty of the relaton c (Fact 2.1) fnshes the proof. It follows as a specal case that the composton of a computatonal encodng wth a perfect or a statstcal encodng s a computatonal encodng. Remark 3.6 It s known that any f PREN (resp., f SREN ) admts a perfect (resp., statstcal) encodng of degree 3 and localty 4 [AIK04]. The same holds for the class CREN, snce we can encode a functon f CREN by a computatonal encodng g n NC 0 and then encode g usng a perfect encodng h of degree 3 and localty 4 (promsed by the fact that NC 0 PREN ). By Lemma 3.5, the functon h s a computatonal encodng for f of degree 3 and localty 4. Moreover, the complexty of h s lnearly related to the complexty of g. 4 Computatonal Encodng n NC 0 for Effcently Computable Functons In ths secton we construct a perfectly correct computatonal encodng of degree 3 and localty 4 for every effcently computable functon. Our constructon conssts of three steps. In Secton 4.1, we descrbe an NC 0 mplementaton of one-tme symmetrc encrypton usng a mnmal PRG as an oracle (.e., a PRG that stretches ts seed by just one bt). In Secton 4.2 we descrbe the man step of the constructon, n whch we encode an arbtrary crcut usng an NC 0 crcut whch uses one-tme symmetrc encrypton as an oracle. 9

10 Ths step s based on a varant of Yao s garbled crcut technque [Yao86]. Combnng the frst two steps, we get a computatonal encodng n NC 0 wth an oracle to a mnmal PRG. Fnally, n Secton 4.3, we derve the man result by relyng on the exstence of an easy PRG, namely, a mnmal PRG n L/poly. 4.1 From PRG to One-Tme Encrypton An mportant tool n our constructon s a one-tme symmetrc encrypton; that s, a (probablstc) prvatekey encrypton that s semantcally secure [GM84] for encryptng a sngle message. We descrbe an NC 0 - reducton from such an encrypton to a mnmal PRG, stretchng ts seed by a sngle bt. We start by defnng mnmal PRG and one-tme symmetrc encrypton. Defnton 4.1 (Pseudorandom generator) A pseudorandom generator (PRG) s a determnstc polynomaltme algorthm, G, satsfyng the followng two condtons: Expanson: There exsts a functon l(k) : N N satsfyng that l(k) > k for all k N, such that G(x) = l( x ) for all x {0, 1}. Pseudorandomness: The dstrbuton ensembles {G(U k )} k N and {U l(k) } k N are computatonally ndstngushable. A PRG that stretches ts nput by one bt (.e., l(k) = k + 1) s referred to as a mnmal PRG. When l(k) = k + Ω(k) we say that G s a lnear-stretch PRG. We refer to G as a polynomal-stretch PRG f l(k) = Ω(k c ) for some constant c > 1. Defnton 4.2 (One-tme symmetrc encrypton) A one-tme symmetrc encrypton scheme s a par (E, D), of probablstc polynomal-tme algorthms satsfyng the followng condtons: Correctness: For every k-bt key e and for every plantext m {0, 1}, the algorthms E, D satsfy D e (E e (m)) = m (where E e (m) = def E(e, m) and smlarly for D). Securty: For every polynomal l( ), and every famles of plantexts {x k } k N and {x k } k N where x k, x k {0, 1}l(k), t holds that {E Uk (x k )} k N c {E Uk (x k )} k N. The nteger k serves as the securty parameter of the scheme. The scheme s sad to be l( )-one-tme symmetrc encrypton scheme f correctness and securty hold wth respect to plantexts whose length s bounded by l(k). The above defnton enables to securely encrypt polynomally long messages under short keys. Ths s an mportant feature that wll be used n our garbled crcut constructon descrbed n Secton 4.2. In fact, t would suffce for our purposes to encrypt messages of some fxed polynomal 9 length, say l(k) = k 2. Ths could be easly done n NC 0 f we had oracle access to a PRG wth a correspondng stretch. Gven such a PRG G, the encrypton can be defned by E e (m) = G(e) m and the decrypton by D e (c) = G(e) c. However, we would lke to base our constructon on a PRG wth a mnmal stretch. From the tradtonal sequental pont of vew, such a mnmal PRG s equvalent to a PRG wth an arbtrary polynomal stretch (cf. [Gol01, Thm ]). In contrast, ths s not known to be the case wth 9 Applyng the constructon to crcuts wth a bounded fan-out, even lnear length would suffce. 10

11 respect to parallel reductons. It s not even known whether a lnear-stretch PRG s NC-reducble to a mnmal PRG (see [Vo05] for some relevant negatve results). Thus, a mnmal PRG s a more conservatve assumpton from the pont of vew of parallel cryptography. Moreover, unlke a PRG wth lnear stretch, a mnmal PRG s reducble n parallel to one-way permutatons and other types of one-way functons [HILL99, Vo05, AIK04]. The above dscusson motvates a drect parallel constructon of one-tme symmetrc encrypton usng a mnmal PRG,.e., a constructon that does not rely on a stronger type of PRG as an ntermedate step. We present such an NC 0 constructon below. Constructon 4.3 (From PRG to one-tme symmetrc encrypton) Let G be a mnmal PRG that stretches ts nput by a sngle bt, let e be a k-bt key, and let m be a (k + l)-bt plantext. Defne the probablstc encrypton algorthm E e (m, (r 1,..., r l 1 )) = def (G(e) r 1, G(r 1 ) r 2,..., G(r l 2 ) r l 1, G(r l 1 ) m), where r U k+ serve as the con tosses of E. The decrypton algorthm D e (c 1,..., c l 1 ) sets r 0 = e, r = c G(r 1 ) for = 1,..., l, and outputs r l. We prove the securty of Constructon 4.3 va a standard hybrd argument. Lemma 4.4 The scheme (E, D) descrbed n Constructon 4.3 s a one-tme symmetrc encrypton scheme. Proof: Constructon 4.3 can be easly verfed to satsfy the correctness requrement. We now prove the securty of ths scheme. Assume, towards a contradcton, that Constructon 4.3 s not secure. It follows that there s a polynomal l( ) and two famles of strngs x = {x k } and y = {y k } where x k = y k = k + l(k), such that the dstrbuton ensembles E e (x k ) and E e (y k ) where e U k, can be dstngushed by a polynomal sze crcut famly {A k } wth non-neglgble advantage ε(k). We use a hybrd argument to derve a contradcton. Fx some k. For a strng m of length k + l(k) we defne for 0 l(k) the dstrbutons H (m) n the followng way. The dstrbuton H 0 (m) s defned to be E r0 (m, (r 1,..., r l 1 )) where r U k+. For 1 l(k), the dstrbuton H (m) s defned exactly as H 1 (m) only that the strng G(r 1 ) s replaced wth a random strng w 1, whch s one bt longer than r 1 (that s, w 1 U k+ ). Observe that for every m {0, 1} k+l(k), all the l(k) strngs of the hybrd H l(k) (m) are dstrbuted unformly and ndependently (each of them s the result of XOR wth a fresh random strng w ). Therefore, n partcular, H l(k) (x k ) H l(k) (y k ). Snce H 0 (x k ) E e (x k ) as well as H 0 (y k ) E e (y k ), t follows that our dstngusher A k dstngushes, w.l.o.g., between H l(k) (x k ) and H 0 (x k ) wth at least ε(k)/2 advantage. Then, snce there are l(k) hybrds, there must be 1 l(k) such that the neghborng hybrds, H 1 (x k ), H (x k ), can be dstngushed by A k wth ε(k) 2l(k) advantage. We now show how to use A k to dstngush a randomly chosen strng from an output of the pseudorandom generator. Gven a strng z of length k + (that s ether sampled from G(U k+ 1 ) or from U k+ ), we unformly choose the strngs r j {0, 1} k+j for j = 1,..., l(k) 1. We feed A k wth the sample (r 1,..., r 1, z r, G(r ) r +1,..., G(r l(k) 1 ) x k ). If z s a unformly chosen strng then the above dstrbuton s equvalent to H (x k ). On the other hand, f z s drawn from G(U ) then the result s dstrbuted exactly as H 1 (x k ), snce each of the frst 1 entres of H 1 (x k ) s dstrbuted unformly and ndependently of the remanng entres (each of these entres was XOR-ed wth a fresh and unque random w j ). Hence, we constructed an adversary that breaks the PRG wth non-neglgble advantage ε(k) 2l(k), dervng a contradcton. Snce the encrypton algorthm descrbed n Constructon 4.3 s ndeed an NC 0 crcut wth oracle access to a mnmal PRG, we get the followng lemma. Lemma 4.5 Let G be a mnmal PRG. Then, there exsts one-tme symmetrc encrypton scheme (E, D) n whch the encrypton functon E s n NC 0 [G]. 11

12 Note that the decrypton algorthm of the above constructon s sequental. We can parallelze t (wthout harmng the parallelzaton of the encrypton) at the expense of strengthenng the assumpton we use. Clam 4.6 Let P G (resp. LG) be a polynomal-stretch (resp. lnear-stretch) PRG. Then, for every polynomal p( ) there exsts a p( )-one-tme symmetrc encrypton scheme (E, D) such that E NC 0 [P G] and D NC 0 [P G] (resp. E NC 0 [LG] and D NC 1 [LG]). Proof: Use Constructon 4.3 (where r = G(r 1 ) ). When the stretch of G s polynomal (resp. lnear) the constructon requres only O(1) (resp. O(log k)) nvocatons of G, and therefore, so does the decrypton algorthm. 4.2 From One-Tme Encrypton to Computatonal Encodng Let f = {f n : {0, 1} n {0, 1} l(n) } n N be a polynomal-tme computable functon, computed by the unform crcut famly {C n } n N. We use a one-tme symmetrc encrypton scheme (E, D) as a black box to encode f by a perfectly correct computatonal encodng ˆf = { ˆf n } n N. Each ˆf n wll be an NC 0 crcut wth an oracle access to the encrypton algorthm E, where the latter s vewed as a functon of the key, the message, and ts random con tosses. The constructon uses a varant of Yao s garbled crcut technque [Yao86]. Our notaton and termnology for ths secton borrow from prevous presentatons of Yao s constructon n [Rog91, NPS99, LP04]. 10 Before we descrbe the actual encodng t wll be convenent to thnk of the followng physcal analog that uses locks and boxes. A physcal encodng. To each wre of the crcut we assgn a par of keys: a 0-key that represents the value 0 and a 1-key that represents the value 1. For each of these pars we randomly color one key black and the other key whte. Ths way, gven a key one cannot tell whch bt t represents (snce the colorng s random). For every gate of the crcut, the encodng conssts of four double-locked boxes a whte-whte box (whch s locked by the whte keys of the wres that enter the gate), a whte-black box (locked by the whte key of the left ncomng wre and the black key of the rght ncomng wre), a black-whte box (locked by the black key of the left ncomng wre and the whte key of the rght ncomng wre) and a black-black box (locked by the black keys of the ncomng wres). Insde each box we put one of the keys of the gate s output wres. Specfcally, f a box s locked by the keys that represent the values α, β then for every outgong wre we put n the box the key that represents the bt g(α, β), where g s the functon that the gate computes. For example, f the gate s an OR gate then the box whch s locked by the ncomng keys that represent the bts (0, 1) contans all the 1-keys of the outgong wres. So f one has a sngle key for each of the ncomng wres, he can open only one box and get a sngle key for each of the outgong wres. Moreover, as noted before, holdng these keys does not reveal any nformaton about the bts they represent. Now, fx some nput x for f n. For each wre, exactly one of the keys corresponds to the value of the wre (nduced by x); we refer to ths key as the actve key and to the second key as the nactve key. We nclude n the encodng of f n (x) the actve keys of the nput wres. (Ths s the only place n whch the encodng depends on the nput x.) Usng these keys and the locked boxes as descrbed above, one can obtan the actve keys of all the wres by openng the correspondng boxes n a bottom-to-top order. To make ths nformaton useful (.e., to enable decodng of f n (x)), we append to the encodng the semantcs of the output wres; 10 Securty proofs for varants of ths constructon were gven mplctly n [Rog91, TX03, LP04] n the context of secure computaton. However, they cannot be drectly used n our context for dfferent reasons. In partcular, the analyss of [LP04] reles on a specal form of symmetrc encrypton and does not acheve perfect correctness, whle that of [Rog91, TX03] reles on a lnear-stretch PRG. 12

13 namely, for each output wre we expose whether the 1-key s whte or black. Hence, the knowledge of the actve key of an output wre reveals the value of the wre. The actual encodng. The actual encodng s analogous to the above physcal encodng. We let random strngs play the role of physcal keys. Instead of lockng a value n a double-locked box, we encrypt t under the XOR of two keys. Before formally defnng the constructon, we need the followng notaton. Denote by x = (x 1,..., x n ) the nput for f n. Let k = k(n) be a securty parameter whch may be set to n ε for an arbtrary postve constant ε (see Remark 3.3). Let Γ(n) denote the number of gates n C n. For every 1 C n, denote by b (x) the value of the -th wre nduced by the nput x; when x s clear from the context we smply use b to denote the wre s value. Our encodng ˆf n (x, (r, W )) conssts of random nputs of two types: C n pars of strngs W 0, W 1 {0, 1} 2k, and C n bts (referred to as masks) denoted r 1,..., r Cn. 11 The strngs W 0, W 1 wll serve as the 0-key and the 1-key of the -th wre, whle the bt r wll determne whch of these keys s the black key. We use c to denote the value of wre masked by r ; namely, c = b r. Thus, c s the color of the actve key of the -th wre (wth respect to the nput x). As before, the encodng ˆf n (x, (r, W )) wll reveal each actve key W b and ts color c but wll hde the nactve keys W 1 b and the masks r of all the wres (except the masks of the output wres). Intutvely, snce the actve keys and nactve keys are dstrbuted dentcally, the knowledge of an actve key W b does not reveal the value b. The encodng ˆf n conssts of the concatenaton of O( C n ) functons, whch nclude several entres for each gate and for each nput and output wre. In what follows denotes btwse-xor on strngs; when we want to emphasze that the operaton s appled to sngle bts we wll usually denote t by ether + or. We use to denote concatenaton. For every β {0, 1} and every, we vew the strng W β as f t s parttoned nto two equal-sze parts denoted W β,0, W β,1. Constructon 4.7 Let C n be a crcut that computes f n. Then, we defne ˆf n (x, (r, W )) to be the concatenaton of the followng functons of (x, (r, W )). Input wres: For an nput wre, labeled by a lteral l (ether some varable x u or ts negaton) we append the functon W l (l + r ). Gates: Let t [Γ(n)] be a gate that computes the functon g {AND, OR} wth nput wres, j and output wres y 1,..., y m. We assocate wth ths gate 4 functons that are referred to as gate labels. Specfcally, for each of the 4 choces of a, a j {0, 1}, we defne a correspondng functon Q a,a j t. Ths functon can be thought of as the box whose color s (a, a j ). It s defned as follows: Q a,a j t (r, W ) def = E W a r,a j W a j r j,a j ( W g(a r,a j r j ) y 1 (g(a r, a j r j ) + r y1 )... (4.1) ) W g(a r,a j r j ) y m (g(a r, a j r j ) + r ym ), where E s a one-tme symmetrc encrypton algorthm. (For smplcty, the randomness of E s omtted.) That s, the colored keys of all the output wres of ths gate are encrypted under a key that depends on the keys of the nput wres of the gate. Note that Q a,a j t depends only on the random nputs. We refer to the label Q c,c j t that s ndexed by the colors of the actve keys of the nput wres as an actve label, and to the other three labels as the nactve labels. Output wres: For each output wre of the crcut, we add the mask of ths wre r. 11 In fact, each applcaton of the encrypton scheme wll use some addtonal random bts. To smplfy notaton, we keep these random nputs mplct. 13

14 It s not hard to verfy that ˆf n s n NC 0 [E]. In partcular, a term of the form W l s a 3-local functon of W 0, W 1 and l, snce ts j-th bt depends on the j-th bt of W 0, the j-th bt of W 1 and on the lteral l. Smlarly, the keys that are used n the encryptons are 8-local functons, and the arguments to the encrypton are 6-local functons of (r, W ). We wll now analyze the complexty of ˆf n. The output complexty and randomness complexty of ˆf are both domnated by the complexty of the gate labels. Generally, the complexty of these functons s poly( C n k) (snce the encrypton E s computable n polynomal tme). 12 However, when the crcut C n has bounded fan-out (say 2) each nvocaton of the encrypton uses poly(k) random bts and outputs poly(k) bts. Hence, the overall complexty s O( C n ) poly(k) = O( C n n ε ) for an arbtrary constant ε > 0. Snce any crcut wth unbounded fan-out of sze C n can be (effcently) transformed nto a bounded-fanout crcut whose sze s O( C n ) (at the prce of a logarthmc factor n the depth), we get an encodng of sze O( C n n ε ) for every (unbounded fan-out) crcut famly {C n }. Let µ(n), s(n) be the randomness complexty and the output complexty of ˆf n respectvely. We clam that the functon famly ˆf = { ˆf n : {0, 1} n {0, 1} µ(n) {0, 1} s(n) } n N defned above s ndeed a computatonally randomzed encodng of the famly f. We start wth perfect correctness. Lemma 4.8 (Perfect correctness) There exsts a polynomal-tme decoder algorthm B such that for every n N and every x {0, 1} n and (r, W ) {0, 1} µ(n), t holds that B(1 n, ˆf n (x, (r, W ))) = f n (x). Proof: Let α = ˆf n (x, (r, W )) for some x {0, 1} n and (r, W ) {0, 1} µ(n). Gven α, our decoder computes, for every wre, the actve key W b and ts color c. Then, for an output wre, the decoder retreves the mask r from α and computes the correspondng output bt of f n (x);.e., outputs b = c r. (Recall that the masks of the output wres are gven explctly as part of α.) The actve keys and ther colors are computed by scannng the crcut from bottom to top. For an nput wre the desred value, W b c, s gven as part of α. Next, consder a wre y that goes out of a gate t, and assume that we have already computed the desred values of the nput wres j of ths gate. We use the colors c, c j of the actve keys of the nput wres to select the actve label Q c,c j t of the gate t (and gnore the other 3 nactve labels of ths gate). Consder ths label as n Equaton (4.1); recall that ths cpher was encrypted under the key W c r,c j W c j r j,c j = W b,c j W b j,c j. Snce we have already computed the values c, c j, W b and W b j j, we can decrypt the label Qc,c j t (by applyng the decrypton algorthm D). Hence, we can recover the encrypted plantext, that ncludes, n partcular, the value W g(b,b j ) y (g(b, b j ) + r y ), where g s the functon that gate t computes. Snce by defnton b y = g(b, b j ), the decrypted strng contans the desred value. Remark 4.9 By the descrpton of the decoder t follows that f the crcut C n s n NC, then the decoder s n NC [D], where D s the decrypton algorthm. In partcular f D s n NC j then the decoder s n NC +j. Ths fact wll be useful for some of the applcatons dscussed n Secton 5. To argue computatonal prvacy we need to prove the followng lemma, whose proof s deferred to Appendx A. Lemma 4.10 (Computatonal prvacy) There exsts a probablstc polynomal-tme smulator S, such that for any famly of strngs {x n } n N, x n = n, t holds that S(1 n, f n (x n )) c ˆf n (x n, U µ(n) ). 12 Specfcally, the encrypton s always nvoked on messages whose length s bounded by l(n) def = O( C n k), hence we can use l(n)-one-tme symmetrc encrypton. 14

15 Remark 4.11 (Informaton-theoretc varant) Constructon 4.7 can be nstantated wth a perfect (nformatontheoretc) encrypton scheme, yeldng a perfectly prvate randomzed encodng. (The prvacy proof gven n Appendx A can be easly modfed to treat ths case.) However, n such an encrypton the key must be as long as the encrypted message [Sha49]. It follows that the wres key length grows exponentally wth ther dstance from the outputs, renderng the constructon effcent only for NC 1 crcuts. Ths nformatontheoretc varant of the garbled crcut constructon was prevously suggested n [IK02]. We wll use t n Secton 4.3 for obtanng a computatonal encodng wth a parallel decoder. 4.3 Man Results Combnng Lemmas 4.8, 4.10, and 4.5 we get an NC 0 encodng of any effcently computable functon usng an oracle to a mnmal PRG. Theorem 4.12 Suppose f s computed by a unform famly {C n } of polynomal-sze crcuts. Let G be a (mnmal) PRG. Then, f admts a perfectly correct computatonal encodng ˆf n NC 0 [G]. The complexty of ˆf s O( C n n ε ) (for an arbtrary constant ε > 0). We turn to the queston of elmnatng the PRG oracles. We follow the natural approach of replacng each oracle wth an NC 0 mplementaton. (A more general but less drect approach wll be descrbed n Remark 4.16.) Usng [AIK04, Thm 6.5], a mnmal PRG n NC 0 s mpled by a PRG n PREN, and n partcular by a PRG n NC 1 or even L/poly. Thus, we can base our man theorem on the followng easy PRG assumpton. Assumpton 4.13 (Easy PRG (EPRG)) There exsts a PRG n L/poly. As dscussed n Secton 1.1, EPRG s a very mld assumpton. In partcular, t s mpled by most standard cryptographc ntractablty assumptons, and s also mpled by the exstence n L/poly of oneway permutatons and other types of one-way functons. Combnng Theorem 4.12 wth the EPRG assumpton, we get a computatonal encodng n NC 0 for every effcently computable functon. To optmze ts parameters we apply a fnal step of perfect encodng, yeldng a computatonal encodng wth degree 3 and localty 4 (see Remark 3.6). Thus, we get the followng man theorem. Theorem 4.14 Suppose f s computed by a unform famly {C n } of polynomal-sze crcuts. Then, under the EPRG assumpton, f admts a perfectly correct computatonal encodng ˆf of degree 3, localty 4 and complexty O( C n n ε ) (for an arbtrary constant ε > 0). Corollary 4.15 Under the EPRG assumpton, CREN = BPP. Proof: Let f(x) be a functon n BPP. It follows that there exsts a functon f (x, z) P such that for every x {0, 1} n t holds that Pr z [f (x, z) f(x)] 2 n. Let ˆf ((x, z), r) be the NC 0 computatonal encodng of f promsed by Theorem Snce f s a statstcal encodng of f (the smulator and the decoder are smply the dentty functons), t follows from Lemma 3.5 that ˆf(x, (z, r)) = def ˆf ((x, z), r) s a computatonal encodng of f n NC 0. Conversely, suppose f CREN and let ˆf be an NC 0 computatonal encodng of f. A BPP algorthm for f can be obtaned by frst computng ŷ = ˆf(x, r) on a random r and then nvokng the decoder on ŷ to obtan the output y = f(x) wth hgh probablty. 15