2,641 research outputs found

    Placing Conditional Disclosure of Secrets in the Communication Complexity Universe

    Get PDF
    In the conditional disclosure of secrets (CDS) problem (Gertner et al., J. Comput. Syst. Sci., 2000) Alice and Bob, who hold n-bit inputs x and y respectively, wish to release a common secret z to Carol (who knows both x and y) if and only if the input (x,y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some shared randomness, and the goal is to minimize the communication complexity while providing information-theoretic security. Despite the growing interest in this model, very few lower-bounds are known. In this paper, we relate the CDS complexity of a predicate f to its communication complexity under various communication games. For several basic predicates our results yield tight, or almost tight, lower-bounds of Omega(n) or Omega(n^{1-epsilon}), providing an exponential improvement over previous logarithmic lower-bounds. We also define new communication complexity classes that correspond to different variants of the CDS model and study the relations between them and their complements. Notably, we show that allowing for imperfect correctness can significantly reduce communication - a seemingly new phenomenon in the context of information-theoretic cryptography. Finally, our results show that proving explicit super-logarithmic lower-bounds for imperfect CDS protocols is a necessary step towards proving explicit lower-bounds against the class AM, or even AM cap coAM - a well known open problem in the theory of communication complexity. Thus imperfect CDS forms a new minimal class which is placed just beyond the boundaries of the "civilized" part of the communication complexity world for which explicit lower-bounds are known

    Relating non-local quantum computation to information theoretic cryptography

    Full text link
    Non-local quantum computation (NLQC) is a cheating strategy for position-verification schemes, and has appeared in the context of the AdS/CFT correspondence. Here, we connect NLQC to the wider context of information theoretic cryptography by relating it to a number of other cryptographic primitives. We show one special case of NLQC, known as ff-routing, is equivalent to the quantum analogue of the conditional disclosure of secrets (CDS) primitive, where by equivalent we mean that a protocol for one task gives a protocol for the other with only small overhead in resource costs. We further consider another special case of position verification, which we call coherent function evaluation (CFE), and show CFE protocols induce similarly efficient protocols for the private simultaneous message passing (PSM) scenario. By relating position-verification to these cryptographic primitives, a number of results in the cryptography literature give new implications for NLQC, and vice versa. These include the first sub-exponential upper bounds on the worst case cost of ff-routing of 2O(nlog⁥n)2^{O(\sqrt{n\log n})} entanglement, the first example of an efficient ff-routing strategy for a problem believed to be outside P/polyP/poly, linear lower bounds on entanglement for CDS in the quantum setting, linear lower bounds on communication cost of CFE, and efficient protocols for CDS in the quantum setting for functions that can be computed with quantum circuits of low TT depth

    On Polynomial Secret Sharing Schemes

    Get PDF
    Nearly all secret sharing schemes studied so far are linear or multi-linear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, SCSC, may be suboptimal -- there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential. There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC \u2701) being among the first to demonstrate it. This motivates further study of non linear schemes. We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors s⃗,r⃗\vec{s},\vec{r} respectively over some finite field \F_q. Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing. Some of the initial results we prove in this work are as follows. \textbf{On share complexity of polynomial schemes.}\\ First we study degree (at most) 1 in randomness variables r⃗\vec{r} (where the degree of secret variables is unlimited). We have shown that for a large subclass of these schemes, there exist equivalent multi-linear schemes with O(n)O(n) share complexity overhead. Namely, PSSS where every polynomial misses monomials of exact degree c≄2c\geq 2 in s⃗\vec{s} and 0 in r⃗\vec{r}, and PSSS where all polynomials miss monomials of exact degree ≄1\geq 1 in s⃗\vec{s} and 1 in r⃗\vec{r}. This translates the known lower bound of Ω(nlog⁥(n))\Omega(n^{\log(n)}) for multi linear schemes onto a class of schemes strictly larger than multi linear schemes, to contrast with the best Ω(n2/log⁥(n))\Omega(n^2/\log(n)) bound known for general schemes, with no progress since 94\u27. An observation in the positive direction we make refers to the share complexity (per bit) of multi linear schemes (polynomial schemes of total degree 1). We observe that the scheme by Liu et. al obtaining share complexity O(20.994n)O(2^{0.994n}) can be transformed into a multi-linear scheme with similar share complexity per bit, for sufficiently long secrets. % For the next natural degree to consider, 2 in r⃗\vec{r}, we have shown that PSSS where all share polynomials are of exact degree 2 in r⃗\vec{r} (without exact degree 1 in r⃗\vec{r} monomials) where \F_q has odd characteristic, can implement only trivial access structures where the minterms consist of single parties. Obtaining improved lower bounds for degree-2 in r⃗\vec{r} PSSS, and even arbitrary degree-1 in r⃗\vec{r} PSSS is left as an interesting open question. \textbf{On the randomness complexity of polynomial schemes.}\\ We prove that for every degree-2 polynomial secret sharing scheme, there exists an equivalent degree-2 scheme with identical share complexity with randomness complexity, RCRC, bounded by 2poly(SC)2^{poly(SC)}. For general PSSS, we obtain a similar bound on RCRC (preserving SCSC and \F_q but not degree). So far, bounds on randomness complexity were known only for multi linear schemes, demonstrating that RC≀SCRC \leq SC is always achievable. Our bounds are not nearly as practical as those for multi-linear schemes, and should be viewed as a proof of concept. If a much better bound for some degree bound d=O(1)d=O(1) is obtained, it would lead directly to super-polynomial counting-based lower bounds for degree-dd PSSS over constant-sized fields. Another application of low (say, polynomial) randomness complexity is transforming polynomial schemes with polynomial-sized (in nn) algebraic formulas C(s⃗,r⃗)C(\vec{s},\vec{r}) for each share , into a degree-3 scheme with only polynomial blowup in share complexity, using standard randomizing polynomials constructions

    Improved Polynomial Secret-Sharing Schemes

    Get PDF
    Despite active research on secret-sharing schemes for arbitrary access structures for more than 35 years, we do not understand their share size −- the best known upper bound for an arbitrary n-party access structure is 2O(n)2^{O(n)} while the best known lower bound is Ω(n/log⁥(n))\Omega(n/\log(n)). Consistent with our knowledge, the share size can be anywhere between these bounds. To better understand this question, one can study specific families of secret-sharing schemes. For example, linear secret-sharing schemes, in which the sharing and reconstruction are computed by linear mappings, have been studied in many papers, e.g., it is known that they require shares of size at least 20.5n2^{0.5n}. Secret-sharing schemes in which the sharing and/or reconstruction are computed by low-degree polynomials have been recently studied by Paskin-Cherniavsky and Radune [ITC 2020] and by Beimel, Othman, and Peter [CRYPTO 2021]. It was shown that secret-sharing schemes with sharing and reconstruction computed by polynomials of degree 2 are more efficient than linear schemes (i.e., schemes in which the sharing and reconstruction are computed by polynomials of degree one). Prior to our work, it was not known if using polynomials of higher degree can reduce the share size. We show that this is indeed the case, i.e., we construct secret-sharing schemes with reconstruction by degree-dd polynomials, where as the reconstruction degree dd increases, the share size for arbitrary access structures decreases. As a step in our construction, we construct conditional disclosure of secrets (CDS) protocols. For example, we construct 2-server CDS protocols for functions f:[N]×[N]→{0,1}f : [N ] \times [N ] \to \{0, 1\} with reconstruction computed by degree-d polynomials with message size NO(log⁥log⁥d/log⁥d)N^{O(\log \log d/ \log d)}. Combining our results with a lower bound of Beimel et al. [CRYPTO 2021], we show that increasing the degree of the reconstruction function in CDS protocols provably reduces the message size. To construct our schemes, we define sparse matching vectors, show constructions of such vectors, and design CDS protocols and secret-sharing schemes with degree-dd reconstruction from sparse matching vectors

    Secret-Sharing Schemes for General and Uniform Access Structures

    Get PDF
    A secret-sharing scheme allows some authorized sets of parties to reconstruct a secret; the collection of authorized sets is called the access structure. For over 30 years, it was known that any (monotone) collection of authorized sets can be realized by a secret-sharing scheme whose shares are of size 2n−o(n)2^{n-o(n)} and until recently no better scheme was known. In a recent breakthrough, Liu and Vaikuntanathan (STOC 2018) have reduced the share size to O(20.994n)O(2^{0.994n}). Our first contribution is improving the exponent of secret sharing down to 0.8920.892. For the special case of linear secret-sharing schemes, we get an exponent of 0.9420.942 (compared to 0.9990.999 of Liu and Vaikuntanathan). Motivated by the construction of Liu and Vaikuntanathan, we study secret-sharing schemes for uniform access structures. An access structure is kk-uniform if all sets of size larger than kk are authorized, all sets of size smaller than kk are unauthorized, and each set of size kk can be either authorized or unauthorized. The construction of Liu and Vaikuntanathan starts from protocols for conditional disclosure of secrets, constructs secret-sharing schemes for uniform access structures from them, and combines these schemes in order to obtain secret-sharing schemes for general access structures. Our second contribution in this paper is constructions of secret-sharing schemes for uniform access structures. We achieve the following results: (a) A secret-sharing scheme for kk-uniform access structures for large secrets in which the share size is O(k2)O(k^2) times the size of the secret. (b) A linear secret-sharing scheme for kk-uniform access structures for a binary secret in which the share size is O~(2h(k/n)n/2)\tilde{O}(2^{h(k/n)n/2}) (where hh is the binary entropy function). By counting arguments, this construction is optimal (up to polynomial factors). (c) A secret-sharing scheme for kk-uniform access structures for a binary secret in which the share size is 2O~(klog⁡n)2^{\tilde{O}(\sqrt{k \log n})}. Our third contribution is a construction of ad-hoc PSM protocols, i.e., PSM protocols in which only a subset of the parties will compute a function on their inputs. This result is based on ideas we used in the construction of secret-sharing schemes for kk-uniform access structures for a binary secret

    Secret-Sharing from Robust Conditional Disclosure of Secrets

    Get PDF
    A secret-sharing scheme is a method by which a dealer, holding a secret string, distributes shares to parties such that only authorized subsets of parties can reconstruct the secret. The collection of authorized subsets is called an access structure. Secret-sharing schemes are an important tool in cryptography and they are used as a building box in many secure protocols. In the original constructions of secret-sharing schemes by Ito et al. [Globecom 1987], the share size of each party is O~(2n)\tilde{O}(2^{n}) (where nn is the number of parties in the access structure). New constructions of secret-sharing schemes followed; however, the share size in these schemes remains basically the same. Although much efforts have been devoted to this problem, no progress was made for more than 30 years. Recently, in a breakthrough paper, Liu and Vaikuntanathan [STOC 2018] constructed a secret-sharing scheme for a general access structure with share size O~(20.994n)\tilde{O}(2^{0.994n}). The construction is based on new protocols for conditional disclosure of secrets (CDS). This was improved by Applebaum et al. [EUROCRYPT 2019] to O~(20.892n)\tilde{O}(2^{0.892n}). In this work, we construct improved secret-sharing schemes for a general access structure with share size O~(20.762n)\tilde{O}(2^{0.762n}). Our schemes are linear, that is, the shares are a linear function of the secret and some random elements from a finite field. Previously, the best linear secret-sharing scheme had shares of size O~(20.942n)\tilde{O}(2^{0.942n}). Most applications of secret-sharing require linearity. Our scheme is conceptually simpler than previous schemes, using a new reduction to two-party CDS protocols (previous schemes used a reduction to multi-party CDS protocols). In a CDS protocol for a function ff, there are kk parties and a referee; each party holds a private input and a common secret, and sends one message to the referee (without seeing the other messages). On one hand, if the function ff applied to the inputs returns 11, then it is required that the referee, which knows the inputs, can reconstruct the secret from the messages. On the other hand, if the function ff applied to the inputs returns 00, then the referee should get no information on the secret from the messages. However, if the referee gets two messages from a party, corresponding to two different inputs (as happens in our reduction from secret-sharing to CDS), then the referee might be able to reconstruct the secret although it should not. To overcome this problem, we define and construct tt-robust CDS protocols, where the referee cannot get any information on the secret when it gets tt messages for a set of zero-inputs of ff. We show that if a function ff has a two-party CDS protocol with message size cfc_f, then it has a two-party tt-robust CDS protocol with normalized message size O~(tcf)\tilde{O}(t c_f). Furthermore, we show that every function f:[N]×[N]→{0,1}f:[N] \times [N]\rightarrow \{0,1\} has a multi-linear tt-robust CDS protocol with normalized message size O~(t+N)\tilde{O}(t+\sqrt{N}). We use a variant of this protocol (with tt slightly larger than N\sqrt{N}) to construct our improved linear secret-sharing schemes. Finally, we construct robust kk-party CDS protocols for k>2k>2

    Secrets and Liens: Verification and Measurement in Commercial Finance Law

    Get PDF
    This article argues that commercial finance law increasingly uses contract rules to displace property rules, especially as these rules pertain to verifying and measuring property interests. In this context, verification simply means confirming the existence of a property interest, such as a lien or security interest. Measurement means determining the relationships of various property interests to one another (i.e., the priority of interests). Historically, commercial finance law – in particular the Uniform Commercial Code, which governs loans secured by personal property – provided that something would be treated as “property” only if its property character was fairly easy to discover. As a general matter, the commercial law frowned on “secret liens” – undisclosed interests in property. The principal method of verifying and measuring property interests in commercial finance law was, until recently, notice-filing. Important, but little-explored, changes to the UCC – and the enactment of statutes that effectively override the UCC – are changing all of this. The 2001 revisions to the UCC, for example, contemplate a fairly broad range of “secret” liens, which will arise when data, bank accounts or investment property (stocks and bonds), among other things, are collateral for a secured loan. These liens are secret because the UCC provides that they are created solely by contract. No public notice of these property interests need be given to be effective. More important, a number of states – most notably Delaware -- have enacted non-uniform statutes intended to “facilitate” asset securitizations – complex commercial finance transactions that were, in certain respects, misused by Enron. These facilitation acts should preempt the UCC, and void any notice-filing rules that might otherwise apply. Secret liens will be entirely enforceable under Delaware law. Given this trend, the article then considers whether notice-filing systems in fact have much value. The article first assesses the standard rationales for these systems, and observes that none is terribly persuasive. The article goes on to consider the trend in the light of important developments in property law and in economic thinking about commercial finance law. Neither current property law theory, nor established economic thinking, fully accounts for the developing contractualization of property in commercial finance law. The article concludes by suggesting an alternative approach to the problem of verifying and measuring property interests in commercial finance law: Through our developing understanding of the role that “community” plays in setting appropriate default rules in private ordering

    The Share Size of Secret-Sharing Schemes for Almost All Access Structures and Graphs

    Get PDF
    The share size of general secret-sharing schemes is poorly understood. The gap between the best known upper bound on the total share size per party of 20.59n2^{0.59n} (Applebaum and Nir, CRYPTO 2021) and the best known lower bound of Ω(n/log⁥n)\Omega(n/\log n) (Csirmaz, J. of Cryptology 1997) is huge (where nn is the number of parties in the scheme). To gain some understanding on this problem, we study the share size of secret-sharing schemes of almost all access structures, i.e., of almost all collections of authorized sets. This is motivated by the fact that in complexity, many times almost all objects are hardest (e.g., most Boolean functions require exponential size circuits). All previous constructions of secret-sharing schemes were for the worst access structures (i.e., all access structures) or for specific families of access structures. We prove upper bounds on the share size for almost all access structures. We combine results on almost all monotone Boolean functions (Korshunov, Probl. Kibern. 1981) and a construction of (Liu and Vaikuntanathan, STOC 2018) and conclude that almost all access structures have a secret-sharing scheme with share size 2O~(n)2^{\tilde{O}(\sqrt{n})}. We also study graph secret-sharing schemes. In these schemes, the parties are vertices of a graph and a set can reconstruct the secret if and only if it contains an edge. Again, for this family there is a huge gap between the upper bounds - O(n/log⁥n)O(n/\log n) (Erdös and Pyber, Discrete Mathematics 1997) - and the lower bounds - Ω(log⁥n)\Omega(\log n) (van Dijk, Des. Codes Crypto. 1995). We show that for almost all graphs, the share size of each party is no(1)n^{o(1)}. This result is achieved by using robust 2-server conditional disclosure of secrets protocols, a new primitive introduced and constructed in (Applebaum et al., STOC 2020), and the fact that the size of the maximal independent set in a random graph is small. Finally, using robust conditional disclosure of secrets protocols, we improve the total share size for all very dense graphs
    • 

    corecore