Computationally private randomizing polynomials and their applications

Randomizing polynomials allow representing a function f(x) by a low-degree randomized mapping f̂(x, r) whose output distribution on an input x is a randomized encoding of f(x). It is known that any function f in uniform ⊕L/poly (and in particular in NC¹) can be efficiently represented by degree-3 randomizing polynomials. Such a degree-3 representation gives rise to an NC ₄ ⁰ representation, in which every bit of the output depends on only four bits of the input. In this paper, we study the relaxed notion of computationally private randomizing polynomials, where the output distribution of f̂(x, r) should only be computationally indistinguishable from a randomized encoding of f(x). We construct degree-3 randomizing polynomials of this type for every polynomial-time computable function, assuming the existence of a cryptographic pseudorandom generator (PRG) in uniform ⊕L/poly. (The latter assumption is implied by most standard intractability assumptions used in cryptography.) This result is obtained by combining a variant of Yao's garbled circuit technique with previous "information-theoretic" constructions of randomizing polynomials. We present several applications of computationally private randomizing polynomials in cryptography. In particular, we relax the sufficient assumptions for parallel constructions of cryptographic primitives, obtain new parallel reductions between primitives, and simplify the design of constant-round protocols for multiparty computation.