2,641 research outputs found
Placing Conditional Disclosure of Secrets in the Communication Complexity Universe
In the conditional disclosure of secrets (CDS) problem (Gertner et al., J. Comput. Syst. Sci., 2000) Alice and Bob, who hold n-bit inputs x and y respectively, wish to release a common secret z to Carol (who knows both x and y) if and only if the input (x,y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some shared randomness, and the goal is to minimize the communication complexity while providing information-theoretic security.
Despite the growing interest in this model, very few lower-bounds are known. In this paper, we relate the CDS complexity of a predicate f to its communication complexity under various communication games. For several basic predicates our results yield tight, or almost tight, lower-bounds of Omega(n) or Omega(n^{1-epsilon}), providing an exponential improvement over previous logarithmic lower-bounds.
We also define new communication complexity classes that correspond to different variants of the CDS model and study the relations between them and their complements. Notably, we show that allowing for imperfect correctness can significantly reduce communication - a seemingly new phenomenon in the context of information-theoretic cryptography. Finally, our results show that proving explicit super-logarithmic lower-bounds for imperfect CDS protocols is a necessary step towards proving explicit lower-bounds against the class AM, or even AM cap coAM - a well known open problem in the theory of communication complexity. Thus imperfect CDS forms a new minimal class which is placed just beyond the boundaries of the "civilized" part of the communication complexity world for which explicit lower-bounds are known
Relating non-local quantum computation to information theoretic cryptography
Non-local quantum computation (NLQC) is a cheating strategy for
position-verification schemes, and has appeared in the context of the AdS/CFT
correspondence. Here, we connect NLQC to the wider context of information
theoretic cryptography by relating it to a number of other cryptographic
primitives. We show one special case of NLQC, known as -routing, is
equivalent to the quantum analogue of the conditional disclosure of secrets
(CDS) primitive, where by equivalent we mean that a protocol for one task gives
a protocol for the other with only small overhead in resource costs. We further
consider another special case of position verification, which we call coherent
function evaluation (CFE), and show CFE protocols induce similarly efficient
protocols for the private simultaneous message passing (PSM) scenario. By
relating position-verification to these cryptographic primitives, a number of
results in the cryptography literature give new implications for NLQC, and vice
versa. These include the first sub-exponential upper bounds on the worst case
cost of -routing of entanglement, the first example
of an efficient -routing strategy for a problem believed to be outside
, linear lower bounds on entanglement for CDS in the quantum setting,
linear lower bounds on communication cost of CFE, and efficient protocols for
CDS in the quantum setting for functions that can be computed with quantum
circuits of low depth
On Polynomial Secret Sharing Schemes
Nearly all secret sharing schemes studied so far are linear or multi-linear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, , may be suboptimal -- there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential.
There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC \u2701) being among the first to demonstrate it. This motivates further study of non linear schemes.
We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors respectively over some finite field \F_q.
Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing.
Some of the initial results we prove in this work are as follows.
\textbf{On share complexity of polynomial schemes.}\\
First we study degree (at most) 1 in randomness variables (where the degree of secret variables is unlimited).
We have shown that for a large subclass of these schemes, there exist equivalent multi-linear schemes with share complexity overhead.
Namely, PSSS where every polynomial misses monomials of exact degree in and 0 in ,
and PSSS where all polynomials miss monomials of exact degree in and 1 in .
This translates the known lower bound of for multi linear schemes
onto a class of schemes strictly larger than multi linear schemes, to contrast with the best bound known
for general schemes, with no progress since 94\u27.
An observation in the positive direction we make refers to the share complexity (per bit) of multi linear schemes (polynomial schemes of total degree 1). We observe that the scheme by Liu et. al obtaining share complexity
can be transformed into a multi-linear scheme with similar share complexity per bit, for sufficiently long secrets.
%
For the next natural degree to consider, 2 in , we have shown that PSSS where all share polynomials are of exact degree 2 in (without exact degree 1 in monomials) where \F_q has odd characteristic, can implement only trivial access structures where the minterms consist of single parties.
Obtaining improved lower bounds for degree-2 in PSSS, and even arbitrary degree-1 in PSSS is left as an interesting open question.
\textbf{On the randomness complexity of polynomial schemes.}\\
We prove that for every degree-2 polynomial secret sharing scheme, there exists an equivalent degree-2 scheme with identical share complexity with randomness complexity, , bounded by . For general PSSS, we obtain a similar bound on (preserving and \F_q but not degree). So far, bounds on randomness complexity were known only for multi linear schemes, demonstrating that is always achievable. Our bounds are not nearly as practical as those for multi-linear schemes, and should be viewed as a proof of concept. If a much better bound for some degree bound is obtained, it would lead directly to super-polynomial counting-based lower bounds for degree- PSSS over constant-sized fields.
Another application of low (say, polynomial) randomness complexity is transforming polynomial schemes with polynomial-sized (in ) algebraic formulas for each share , into a degree-3 scheme with only polynomial blowup in share complexity, using standard randomizing polynomials constructions
Improved Polynomial Secret-Sharing Schemes
Despite active research on secret-sharing schemes for arbitrary access structures for more than 35 years, we do not understand their share size the best known upper bound for an arbitrary n-party access structure is while the best known lower bound is . Consistent with our knowledge, the share size can be anywhere between these bounds. To better understand this question, one can study specific families of secret-sharing schemes. For example, linear secret-sharing schemes, in which the sharing and reconstruction are computed by linear mappings, have been studied in many papers, e.g., it is known that they require shares of size at least . Secret-sharing schemes in which the sharing and/or reconstruction are computed by low-degree polynomials have been recently studied by Paskin-Cherniavsky and Radune [ITC 2020] and by Beimel, Othman, and Peter [CRYPTO 2021]. It was shown that secret-sharing schemes with sharing and reconstruction computed by polynomials of degree 2 are more efficient than linear schemes (i.e., schemes in which the sharing and reconstruction are computed by polynomials of degree one).
Prior to our work, it was not known if using polynomials of higher degree can reduce the share size. We show that this is indeed the case, i.e., we construct secret-sharing schemes with reconstruction by degree- polynomials, where as the reconstruction degree increases, the share size for arbitrary access structures decreases. As a step in our construction, we construct conditional disclosure of secrets (CDS) protocols. For example, we construct 2-server CDS protocols for functions with reconstruction computed by degree-d polynomials with message size . Combining our results with a lower bound of Beimel et al. [CRYPTO 2021], we show that increasing the degree of the reconstruction function in CDS protocols provably reduces the message size. To construct our schemes, we define sparse matching vectors, show constructions of such vectors, and design CDS protocols and secret-sharing schemes with degree- reconstruction from sparse matching vectors
Secret-Sharing Schemes for General and Uniform Access Structures
A secret-sharing scheme allows some authorized sets of parties to reconstruct a secret; the collection of authorized sets is called the access structure. For over 30 years, it was known that any (monotone) collection of authorized sets can be realized by a secret-sharing scheme whose shares are of size and until recently no better scheme was known. In a recent breakthrough, Liu and Vaikuntanathan (STOC 2018) have reduced the share size to . Our first contribution is improving the exponent of secret sharing down to . For the special case of linear secret-sharing schemes, we get an exponent of (compared to of Liu and Vaikuntanathan).
Motivated by the construction of Liu and Vaikuntanathan, we study secret-sharing schemes for uniform access structures. An access structure is -uniform if all sets of size larger than are authorized, all sets of size smaller than are unauthorized, and each set of size can be either authorized or unauthorized. The construction of Liu and Vaikuntanathan starts from protocols for conditional disclosure of secrets, constructs secret-sharing schemes for uniform access structures from them, and combines these schemes in order to obtain secret-sharing schemes for general access structures. Our second contribution in this paper is constructions of secret-sharing schemes for uniform access structures. We achieve the following results:
(a) A secret-sharing scheme for -uniform access structures for large secrets in which the share size is times the size of the secret.
(b) A linear secret-sharing scheme for -uniform access structures for a binary secret in which the share size is (where is the binary entropy function). By counting arguments, this construction is optimal (up to polynomial factors).
(c) A secret-sharing scheme for -uniform access structures for a binary secret in which the share size is
.
Our third contribution is a construction of ad-hoc PSM protocols, i.e., PSM protocols in which only a subset of the parties will compute a function on their inputs. This result is based on ideas we used in the construction of secret-sharing schemes for -uniform access structures for a binary secret
Secret-Sharing from Robust Conditional Disclosure of Secrets
A secret-sharing scheme is a method by which a dealer, holding a secret string, distributes shares to parties such that only authorized subsets of parties can reconstruct the secret.
The collection of authorized subsets is called an access structure.
Secret-sharing schemes are an important tool in cryptography and they are used as a building box in many secure
protocols.
In the original constructions of secret-sharing schemes by Ito et al. [Globecom 1987], the share size of each party is (where is the number of parties in the access structure).
New constructions of secret-sharing schemes followed; however, the share size in these schemes remains basically the same.
Although much efforts have been devoted to this problem, no progress was made for more than 30 years.
Recently, in a breakthrough paper, Liu and Vaikuntanathan [STOC 2018] constructed a secret-sharing scheme for a general access structure with share size .
The construction is based on new protocols for conditional disclosure of secrets (CDS).
This was improved by Applebaum et al. [EUROCRYPT 2019] to .
In this work, we construct improved secret-sharing schemes for a general access structure with share size .
Our schemes are linear, that is, the shares are a linear function of the secret and some random elements from a finite field.
Previously, the best linear secret-sharing scheme had shares of size .
Most applications of secret-sharing require linearity. Our scheme is conceptually simpler than previous schemes, using a new reduction to two-party CDS protocols (previous schemes used a reduction to multi-party CDS protocols).
In a CDS protocol for a function , there are parties and a referee; each party holds a private input and a common secret, and sends one message to the referee (without seeing the other messages).
On one hand, if the function applied to the inputs returns , then it is required that the referee, which knows the inputs, can reconstruct the secret from the messages.
On the other hand, if the function applied to the inputs returns , then the referee should get no information on the secret from the messages. However, if the referee gets two messages from a party, corresponding to two different inputs (as happens in our reduction from secret-sharing to CDS), then the referee might be able to reconstruct the secret although it should not.
To overcome this problem, we define and construct -robust CDS protocols, where the referee cannot get any information on the secret when it gets messages for a set of zero-inputs of .
We show that if a function has a two-party CDS protocol with message size , then it has a two-party -robust CDS protocol with normalized message size .
Furthermore, we show that every function has a multi-linear -robust CDS protocol with normalized message size .
We use a variant of this protocol (with slightly larger than ) to construct our improved linear secret-sharing schemes.
Finally, we construct robust -party CDS protocols for
Secrets and Liens: Verification and Measurement in Commercial Finance Law
This article argues that commercial finance law increasingly uses contract rules to displace property rules, especially as these rules pertain to verifying and measuring property interests. In this context, verification simply means confirming the existence of a property interest, such as a lien or security interest. Measurement means determining the relationships of various property interests to one another (i.e., the priority of interests).
Historically, commercial finance law â in particular the Uniform Commercial Code, which governs loans secured by personal property â provided that something would be treated as âpropertyâ only if its property character was fairly easy to discover. As a general matter, the commercial law frowned on âsecret liensâ â undisclosed interests in property. The principal method of verifying and measuring property interests in commercial finance law was, until recently, notice-filing.
Important, but little-explored, changes to the UCC â and the enactment of statutes that effectively override the UCC â are changing all of this. The 2001 revisions to the UCC, for example, contemplate a fairly broad range of âsecretâ liens, which will arise when data, bank accounts or investment property (stocks and bonds), among other things, are collateral for a secured loan. These liens are secret because the UCC provides that they are created solely by contract. No public notice of these property interests need be given to be effective.
More important, a number of states â most notably Delaware -- have enacted non-uniform statutes intended to âfacilitateâ asset securitizations â complex commercial finance transactions that were, in certain respects, misused by Enron. These facilitation acts should preempt the UCC, and void any notice-filing rules that might otherwise apply. Secret liens will be entirely enforceable under Delaware law.
Given this trend, the article then considers whether notice-filing systems in fact have much value. The article first assesses the standard rationales for these systems, and observes that none is terribly persuasive. The article goes on to consider the trend in the light of important developments in property law and in economic thinking about commercial finance law. Neither current property law theory, nor established economic thinking, fully accounts for the developing contractualization of property in commercial finance law. The article concludes by suggesting an alternative approach to the problem of verifying and measuring property interests in commercial finance law: Through our developing understanding of the role that âcommunityâ plays in setting appropriate default rules in private ordering
The Share Size of Secret-Sharing Schemes for Almost All Access Structures and Graphs
The share size of general secret-sharing schemes is poorly understood. The gap between the best known upper bound on the total share size per party of (Applebaum and Nir, CRYPTO 2021) and the best known lower bound of (Csirmaz, J. of Cryptology 1997) is huge (where is the number of parties in the scheme). To gain some understanding on this problem, we study the share size of secret-sharing schemes of almost all access structures, i.e., of almost all collections of authorized sets. This is motivated by the fact that in complexity, many times almost all objects are hardest (e.g., most Boolean functions require exponential size circuits). All previous constructions of secret-sharing schemes were for the worst access structures (i.e., all access structures) or for specific families of access structures.
We prove upper bounds on the share size for almost all access structures. We combine results on almost all monotone Boolean functions (Korshunov, Probl. Kibern. 1981) and a construction of (Liu and Vaikuntanathan, STOC 2018) and conclude that almost all access structures have a secret-sharing scheme with share size .
We also study graph secret-sharing schemes. In these schemes, the parties are vertices of a graph and a set can reconstruct the secret if and only if it contains an edge. Again, for this family there is a huge gap between the upper bounds - (Erdös and Pyber, Discrete Mathematics 1997) - and the lower bounds - (van Dijk, Des. Codes Crypto. 1995). We show that for almost all graphs, the share size of each party is . This result is achieved by using robust 2-server conditional disclosure of secrets protocols, a new primitive introduced and constructed in (Applebaum et al., STOC 2020), and the fact that the size of the maximal independent set in a random graph is small. Finally, using robust conditional disclosure of secrets protocols, we improve the total share size for all very dense graphs
- âŠ