 
Summary: Randomly Encoding Functions:
a New Cryptographic Paradigm
Benny Applebaum
March 25, 2011
Abstract
The notion of randomized encoding allows to represent a "complex" function f(x) by a
"simpler" randomized mapping ^f(x; r) whose output distribution on an input x encodes the
value of f(x). We survey several cryptographic applications of this paradigm.
1 Introduction
To what extent can one simplify the task of computing a function f by settling for computing some
(possibly randomized) encoding of its output? This question can be formalized as follows: We say
that a function ^f(x; r) is a randomized encoding (RE) of a function f(x), if its output distribution
depends only on the output of f. More precisely, we require the existence of an efficient recovery
algorithm Rec and an efficient randomized simulator Sim that satisfy the following conditions:
· (Correctness) For every (x, r), given ^f(x; r) the algorithm Rec recovers f(x);
· (Privacy) For every x, given f(x) the simulator Sim samples from the distribution of ^f(x; r)
induced by a uniform choice of r.
This notion of randomized encoding was introduced by Ishai and Kushilevitz [21] (under the al
gebraic framework of randomizing polynomials) and was implicitly used, in weaker forms, in the
context of secure multiparty computation (e.g., [23, 19]). Observe that each of the above require
