TY - JOUR
T1 - Conditional disclosure of secrets
T2 - Amplification, closure, amortization, lower-bounds, and separations
AU - Applebaum, Benny
AU - Arkis, Barak
AU - Raykov, Pavel
AU - Nalini Vasudevan, Prashant
N1 - Publisher Copyright:
© 2021 Society for Industrial and Applied Mathematics.
PY - 2021
Y1 - 2021
N2 - In the conditional disclosure of secrets (CDS) problem [Gertner et al., J. Comput. System Sci., 60 (2000), pp. 592-629] Alice and Bob, who hold inputs x and y, respectively, wish to release a common secret s to Carol (who knows both x and y) if and only if the input (x, y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some joint randomness and the goal is to minimize the communication complexity while providing information-theoretic security. In this work, we initiate the study of CDS manipulation techniques and derive the following positive and negative results: (Closure) A CDS for f can be turned into a CDS for its complement f with only a minor blow-up in complexity. More generally, for a (possibly nonmonotone) predicate h, we obtain a CDS for h(f1, . . ., fm) whose cost is essentially linear in the formula size of h and polynomial in the CDS complexity of fi. (Amplification) It is possible to reduce the privacy and correctness error of a CDS from constant to 2 - k with a multiplicative overhead of O(k). Moreover, this overhead can be amortized over kbit secrets. (Amortization) Every predicate f over n-bit inputs admits a CDS for multibit secrets whose amortized communication complexity per secret bit grows linearly with the input length n for sufficiently long secrets. In contrast, the best known upper-bound for single-bit secrets is exponential in n. (Lower-bounds) There exists a (nonexplicit) predicate f over n-bit inputs for which any perfect (single-bit) CDS requires communication of at least Ω (n). This is an exponential improvement over the previously known Ω (log n) lower-bound. (Separations) There exists an (explicit) predicate whose CDS complexity is exponentially smaller than its randomized communication complexity. This matches a lower-bound of Gay, Kerenidis, and Wee [Advances in Cryptology, Lecture Notes in Comput. Sci. 9216, Springer, New York, 2015, pp. 485-502] and, combined with another result of theirs, yields an exponential separation between the communication complexity of linear CDS and non-linear CDS. This is the first provable gap between the communication complexity of linear CDS (which captures most known protocols) and nonlinear CDS.
AB - In the conditional disclosure of secrets (CDS) problem [Gertner et al., J. Comput. System Sci., 60 (2000), pp. 592-629] Alice and Bob, who hold inputs x and y, respectively, wish to release a common secret s to Carol (who knows both x and y) if and only if the input (x, y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some joint randomness and the goal is to minimize the communication complexity while providing information-theoretic security. In this work, we initiate the study of CDS manipulation techniques and derive the following positive and negative results: (Closure) A CDS for f can be turned into a CDS for its complement f with only a minor blow-up in complexity. More generally, for a (possibly nonmonotone) predicate h, we obtain a CDS for h(f1, . . ., fm) whose cost is essentially linear in the formula size of h and polynomial in the CDS complexity of fi. (Amplification) It is possible to reduce the privacy and correctness error of a CDS from constant to 2 - k with a multiplicative overhead of O(k). Moreover, this overhead can be amortized over kbit secrets. (Amortization) Every predicate f over n-bit inputs admits a CDS for multibit secrets whose amortized communication complexity per secret bit grows linearly with the input length n for sufficiently long secrets. In contrast, the best known upper-bound for single-bit secrets is exponential in n. (Lower-bounds) There exists a (nonexplicit) predicate f over n-bit inputs for which any perfect (single-bit) CDS requires communication of at least Ω (n). This is an exponential improvement over the previously known Ω (log n) lower-bound. (Separations) There exists an (explicit) predicate whose CDS complexity is exponentially smaller than its randomized communication complexity. This matches a lower-bound of Gay, Kerenidis, and Wee [Advances in Cryptology, Lecture Notes in Comput. Sci. 9216, Springer, New York, 2015, pp. 485-502] and, combined with another result of theirs, yields an exponential separation between the communication complexity of linear CDS and non-linear CDS. This is the first provable gap between the communication complexity of linear CDS (which captures most known protocols) and nonlinear CDS.
KW - Communication complexity
KW - Conditional disclosure of secrets
KW - Information-theoretic cryptography
KW - Secret sharing
UR - http://www.scopus.com/inward/record.url?scp=85101154166&partnerID=8YFLogxK
U2 - 10.1137/18M1217097
DO - 10.1137/18M1217097
M3 - מאמר
AN - SCOPUS:85101154166
VL - 50
SP - 32
EP - 67
JO - SIAM Journal on Computing
JF - SIAM Journal on Computing
SN - 0097-5397
IS - 1
ER -