Closure, Amortization, Lower-bounds, and Separations Benny - PowerPoint PPT Presentation

Conditional Disclosure of Secrets: Amplification, Closure, Amortization, Lower-bounds, and Separations Benny Applebaum Barak Arkis Pavel Raykov Prashant Nalini Vasudevan

Conditional Disclosure of Secrets [GIKM00] 𝑔: 0,1 𝑜 × 0,1 𝑜 → {0,1} 𝜺 -Correctness: If 𝑔 𝑦, 𝑧 = 1, then for any 𝑡 , Randomness 𝑠 Pr 𝐷 𝑦, 𝑧, 𝑛 𝐵 , 𝑛 𝐶 = 𝑡 > 1 − δ 𝑦 𝑧 A B Secret 𝑡 𝝑 -Privacy: If 𝑔 𝑦, 𝑧 = 0 , then for any 𝑡 , 𝑛 𝐵 𝑛 𝐶 Δ 𝑇𝑗𝑛 𝑦, 𝑧 ; 𝑛 𝐵 , 𝑛 𝐶 < 𝜗 Communication: 𝑛 𝐵 + |𝑛 𝐶 | C 𝑦, 𝑧 Randomness: |𝑠|

Connections and Applications • Attribute-Based Encryption. [Att14,Wee14] • Secret-sharing for certain graph-based access structures. • Light-weight alternative to zero-knowledge proofs in some settings. [AIR01] • Data privacy in information-theoretic PIR. [GIKM00] • A minimal model of multi-party computation.

What Was Known Earlier Upper bounds: • Communication 2 𝑃( 𝑜 log 𝑜) for any predicate on 𝑜 -bit inputs. [LVW17] • Communication 𝑃(𝜏) for predicates with size- 𝜏 branching programs or span programs. [IW14,AR16] Lower bounds: • Explicit predicate that requires Ω(log 𝑜) bits of communication. [GKW15] • Same predicate requires Ω 𝑜 bits for linear CDS. [GKW15]

CDS and Statistical Difference Randomness 𝑠 𝜺 -Correctness: 𝑧 𝑦 A B If 𝑔 𝑦, 𝑧 = 1, then for any 𝑡 , Secret 𝑡 Pr 𝐷 𝑦, 𝑧, 𝑛 𝐵 , 𝑛 𝐶 = 𝑡 > 1 − δ 𝑛 𝐵 𝑛 𝐶 0 1 ≡ Δ 𝑛 𝐵 , 𝑛 𝐶 𝑦,𝑧 ; 𝑛 𝐵 , 𝑛 𝐶 𝑦,𝑧 > 1 − 2𝜀 C 𝑦, 𝑧 𝝑 -Privacy: If 𝑔 𝑦, 𝑧 = 0 , then for any 𝑡 , Distribution of (𝑛 𝐵 , 𝑛 𝐶 ) : Δ 𝑇𝑗𝑛 𝑦, 𝑧 ; 𝑛 𝐵 , 𝑛 𝐶 < 𝜗 0 • input (𝑦, 𝑧) , 𝑡 = 0 : 𝑛 𝐵 , 𝑛 𝐶 𝑦,𝑧 • input (𝑦, 𝑧) , 𝑡 = 1 : 𝑛 𝐵 , 𝑛 𝐶 𝑦,𝑧 1 0 1 ≡ Δ 𝑛 𝐵 , 𝑛 𝐶 𝑦,𝑧 ; 𝑛 𝐵 , 𝑛 𝐶 𝑦,𝑧 < 2𝜗

Separations Explicit function 𝑄𝐷𝑝𝑚: 0,1 4n log 𝑜 × 0,1 2n log 𝑜 → 0,1 that has: • CDS complexity: 𝑃(log 𝑜) • Randomized communication complexity: Ω(𝑜 1/3 ) • Linear CDS complexity: Ω(𝑜 1/6 ) Inspired by oracle separations between SZK and other classes [Aar12], and the Pattern Matrix method [She11].

Collision Problems 𝑜 log 𝑜 ℎ 𝑨 : 0,1 log 𝑜 → 0,1 log 𝑜 𝑨 ⋅ ⋅ ⋅ ℎ 𝑨 𝑗 = 𝑗 𝑢ℎ block in 𝑨 log 𝑜 𝑜 blocks ⇒ ℎ 𝑨 (𝑗) is uniformly distributed 0 if ℎ 𝑨 is 1−to−1 𝐷𝑝𝑚 𝑨 = ቐ 1 if ℎ 𝑨 is 2−to−1 ⇒ ℎ 𝑨 (𝑗) is far from uniform

Collision Problems 4𝑜 log 𝑜 𝑦 ⋅ ⋅ ⋅ 0 0 1 0 1 0 1 0 0 1 1 1 1 0 0 1 𝑧 𝑄𝐷𝑝𝑚 𝑦, 𝑧 = 𝐷𝑝𝑚(𝑦 𝑧 ) 3 2 2 ⋅ ⋅ ⋅ 4 𝑦[𝑧] 1 0 1 ⋅ ⋅ ⋅ 1 𝑜 log 𝑜 𝑆 𝑄𝐷𝑝𝑚 > Ω(𝑜 1/3 ) linCDS 𝑄𝐷𝑝𝑚 > Ω(𝑜 1/6 ) ([Amb05,Kut05] + [She11]) (left + [GKW15])

Collision Problems 𝑦 A 0 0 1 0 1 0 1 0 0 1 1 1 ⋅ ⋅ ⋅ 1 0 0 1 𝑦, 𝑧 𝑡 𝑗 C 𝑧 B 3 2 2 ⋅ ⋅ ⋅ 4 Use PSM [FKN94] to send: • ℎ 𝑦 𝑧 (𝑗) if 𝑡 = 0 𝑦[𝑧] • 𝑠 ← 0,1 log 𝑜 if 𝑡 = 1 1 0 1 ⋅ ⋅ ⋅ 1 log 𝑜 If 𝑄𝐷𝑝𝑚 𝑦, 𝑧 = 0 , both are 𝑜 blocks the same distribution, else they are far apart.

Closure ℎ - Boolean formula over 0,1 𝑛 of size 𝜏 CDS for each of CDS for 𝑔 1 , … , 𝑔 ℎ(𝑔 1 , … , 𝑔 𝑛 ) 𝑛 Comm: 𝑢 1 , … , 𝑢 𝑛 Comm: 𝜏 ⋅ 𝑞𝑝𝑚𝑧(𝑢 𝑗 , 𝜍 𝑗 ) Rand : 𝜍 1 , … , 𝜍 𝑛 Rand : 𝜏 ⋅ 𝑞𝑝𝑚𝑧(𝑢 𝑗 , 𝜍 𝑗 ) Construction uses transformations for Statistical Difference [SV03,Oka96], and PSM protocols [FKN94].

Amplification CDS for 𝑔 CDS for 𝑔 Single-bit secret 𝑙 -bit secret Corr: 2 −Ω(𝑙) Corr: 0.1 Priv: 2 −Ω(𝑙) Priv: 0.1 Comm: 𝑢 Comm: 𝑃(𝑙𝑢) Construction uses constant-rate ramp secret-sharing schemes [CCGdHV07]. Incomparable version follows from the Polarization Lemma [SV03].

Lower Bound There exists a predicate 𝑔: 0,1 𝑜 × 0,1 𝑜 → {0,1} for which any perfect (single-bit) CDS requires communication at least 0.99𝑜 . Proven by reduction to the PSM lower bound of [FKN94]. Earlier bound was explicit, Ω(log 𝑜) bits. [GKW15]

Amortization For any predicate 𝑔: 0,1 𝑜 × 0,1 𝑜 → {0,1} and 𝑛 > 2 2 2𝑜 , there is a perfect CDS protocol for 𝑔 with 𝑛 -bit secrets with communication complexity 𝑃(𝑛𝑜) . Proven using techniques from the amortization of branching programs [Pot16]. 𝑛 -fold repetition of best known general protocol [LVW17]: 𝑛 ⋅ 2 𝑃( 𝑜 log 𝑜)

Summary We prove the following properties of CDS: • Lower Bounds: Non-explicit, Ω(𝑜) . • Separation: From insecure communication and linear CDS. • Amortization: 𝑃(𝑜) per bit of secret, if there are more than 2 2 2𝑜 bits. • Closure: Under composition with formulas. • Amplification: Of correctness and privacy from constant to 2 −Ω(𝑙) with 𝑃(𝑙) blowup. To note: • Connections with Statistical Difference and SZK. • Barriers to PSM lower bounds.