On hiding information from an oracle

Abstract

We consider the problem of computing with encrypted data. Player A wishes to know the value ƒ(x) for some x but lacks the power to compute it. Player B has the power to compute ƒ and is willing to send ƒ(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem ƒ is a method by which A, using her inferior resources, can transform the cleartext instance x into an encrypted instance y, obtain ƒ(y) from B, and infer ƒ(x) from ƒ(y) in such a way that B cannot infer x from y. When such an encryption scheme exists, we say that ƒ is encryptable. The framework defined in this paper enables us to prove precise statements about what an encrypted instance hides and what it leaks, in an information-theoretic sense. Our definitions are cast in the language of probability theory and do not involve assumptions such as the intractability of factoring or the existence of one-way functions. We use our framework to describe encryption schemes for some natural problems in NP ⋒ CoNP. We also consider the following generalization of encryption schemes. Player A, who is limited to probabilistic polynomial time, wishes to guess the value ƒ(x) with probability at least 1/2 + 1/|x|c of being correct, for some constant c. Player B can compute any function and generate arbitrary probability distributions. Players A and B can interact for a polynomial number of rounds by sending polynomial-sized messages. We prove a strong negative result: there is no such generalized encryption scheme for SAT that leaks no more than the size of x (unless the polynomial hierarchy collapses at the second level).