Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu - - PowerPoint PPT Presentation

breaking the circuit size barrier in secret sharing
SMART_READER_LITE
LIVE PREVIEW

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu - - PowerPoint PPT Presentation

Feb 16, 2024 40 likes •796 views

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

slide-1
SLIDE 1

Breaking the Circuit-Size Barrier in Secret Sharing

Tianren Liu MIT Vinod Vaikuntanathan MIT 50th ACM Symposium on Theory of Computing June 27, 2018

slide-2
SLIDE 2

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

slide-3
SLIDE 3

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

share2 share3 share5 share1 share4

slide-4
SLIDE 4

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

share2 share3 share5 share1 share4

slide-5
SLIDE 5

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

share2 share3 share5 share1 share4

Can this subset of participants recover the secret?

slide-6
SLIDE 6

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

share2 share3 share5 share1 share4

Can this subset of participants recover the secret?

Threshold Secret Sharing [Shamir’79] Any subset of ≥ k participants can recover the secret. Any subset of < k participants learns no information.

slide-7
SLIDE 7

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

share2 share3 share5 share1 share4

Can this subset of participants recover the secret?

Threshold Secret Sharing [Shamir’79] Any subset of ≥ k participants can recover the secret. Any subset of < k participants learns no information. General Secret Sharing [ISN’89] monotone F : {0,1}n → {0,1} Any subset X that F(X) = 1 can recover the secret. Any subset X that F(X) = 0 learns no information.

slide-8
SLIDE 8

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret

share2 share3 share5 share1 share4

Can this subset of participants recover the secret?

Threshold Secret Sharing [Shamir’79] Any subset of ≥ k participants can recover the secret. Any subset of < k participants learns no information. General Secret Sharing [ISN’89] monotone F : {0,1}n → {0,1} Any subset X that F(X) = 1 can recover the secret. Any subset X that F(X) = 0 learns no information.

slide-9
SLIDE 9

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 Total share size = formula size of F ≤ ˜ O(2n)

slide-10
SLIDE 10

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 Total share size = formula size of F ≤ ˜ O(2n)

slide-11
SLIDE 11

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 s Total share size = formula size of F ≤ ˜ O(2n)

slide-12
SLIDE 12

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 s r1 r2 r3 s.t. r1 +r2 +r3 = s Total share size = formula size of F ≤ ˜ O(2n)

slide-13
SLIDE 13

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 s r1 r2 r3 r1 r1 r2 r2 r3 r3 s.t. r1 +r2 +r3 = s Total share size = formula size of F ≤ ˜ O(2n)

slide-14
SLIDE 14

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x2 x1 x3 x4 s r1 r2 r3 r1 r1 r2 r2 r3 r3 s.t. r1 +r2 +r3 = s Total share size = formula size of F ≤ ˜ O(2n)

slide-15
SLIDE 15

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 s r1 r2 r3 r1 r1 r2 r2 r3 r3 s.t. r1 +r2 +r3 = s Total share size = formula size of F ≤ ˜ O(2n)

slide-16
SLIDE 16

A General Secret Sharing Scheme [Benaloh-Leichter’88]

F is computed by some monotone formula ◮ Generate a tag for each wire

◮ Output wire tag: the secret s ◮ AND gate: additively share the output wire tag ◮ OR gate: copy the output wire tag

◮ The i-th participant’s share: all tags of its input wires

  • x2

x1 x3 x4 s r1 r2 r3 r1 r1 r2 r2 r3 r3 s.t. r1 +r2 +r3 = s Total share size = formula size of F ≤ ˜ O(2n)

slide-17
SLIDE 17

Key Complexity Measure: Total Share Size

Upper Bounds

Share size = O(monotone formula size) [Benaloh-Leichter’88]

slide-18
SLIDE 18

Key Complexity Measure: Total Share Size

Upper Bounds

Share size = O(monotone formula size) [Benaloh-Leichter’88] Share size = O(monotone span program size) [Karchmer-Wigderson’93]

slide-19
SLIDE 19

Key Complexity Measure: Total Share Size

Upper Bounds

Share size = O(monotone formula size) ≤ 2n

poly(n).

Share size = O(monotone span program size) ≤ 2n

poly(n).

slide-20
SLIDE 20

Key Complexity Measure: Total Share Size

Upper Bounds

Share size = O(monotone formula size) ≤ 2n

poly(n).

Share size = O(monotone span program size) ≤ 2n

poly(n).

Lower Bounds

Exists an explicit F s.t. total share size = ˜ Ω(n2). [Csirmaz’97]

slide-21
SLIDE 21

Key Complexity Measure: Total Share Size

Upper Bounds

Share size = O(monotone formula size) ≤ 2n

poly(n).

Share size = O(monotone span program size) ≤ 2n

poly(n).

Lower Bounds

Exists an explicit F s.t. total share size = ˜ Ω(n2). [Csirmaz’97] (No better lower bounds, even existentially.)

slide-22
SLIDE 22

Key Complexity Measure: Total Share Size

Upper Bounds

Share size = O(monotone formula size) ≤ 2n

poly(n).

Share size = O(monotone span program size) ≤ 2n

poly(n).

Lower Bounds

Exists an explicit F s.t. total share size = ˜ Ω(n2). [Csirmaz’97] (No better lower bounds, even existentially.)

Can we do better?

30+-year-old open problem

slide-23
SLIDE 23

Our Results

Yes, we can!

Theorem 1

Every monotone F has a secret sharing scheme with share size 20.994n.

slide-24
SLIDE 24

Key Complexity Measure: Total Share Size

Upper Bounds: Linear Linear Linear Secret Sharing

Share size = O(monotone formula size) ≤ 2n

poly(n).

Share size = Θ(monotone span program size) ≤ 2n

poly(n).

Lower Bounds: Linear Linear Linear Secret Sharing

Exists {Fn} s.t. total share size = ˜ Ω(2n/2).

Can we do better?

slide-25
SLIDE 25

Key Complexity Measure: Total Share Size

Upper Bounds: Linear Linear Linear Secret Sharing

Share size = O(monotone formula size) ≤ 2n

poly(n).

Share size = Θ(monotone span program size) ≤ 2n

poly(n).

Lower Bounds: Linear Linear Linear Secret Sharing

Exists {Fn} s.t. total share size = ˜ Ω(2n/2). (2Ω(n) for an explicit {Fn} [Pitassi-Robere’18])

Can we do better?

slide-26
SLIDE 26

Our Results

Yes, we can!

Theorem 2

Every monotone F has a linear secret sharing with share size 20.999n.

slide-27
SLIDE 27

Our Results

Yes, we can!

Theorem 2

Every monotone F has a linear secret sharing with share size 20.999n.

Corollary

Every monotone F has a monotone span program of size 20.999n.

slide-28
SLIDE 28

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I
  • Prop. II
slide-29
SLIDE 29

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n
  • Prop. II
slide-30
SLIDE 30

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n
  • Prop. II

Formula size log(#Monotone Functions) ≥ 2n

poly(n)

slide-31
SLIDE 31

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n
  • Prop. II

Formula size×log(#Base Gates) ≥ log(#Monotone Functions) ≥ 2n

poly(n)

slide-32
SLIDE 32

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n
  • Prop. II

Formula size×log(#Base Gates) ≥ log(#Monotone Functions) ≥ 2n

poly(n)

= ⇒ Requires 2˜

Ω(2n) gates in formula basis.

slide-33
SLIDE 33

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n using an extended basis of 2˜

Ω(2n) gates

  • Prop. II
slide-34
SLIDE 34

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n using an extended basis of 2˜

Ω(2n) gates

  • Prop. II every gate in the basis is a monotone function that has

an efficient secret sharing scheme

slide-35
SLIDE 35

Our Approach

Every monotone F can be computed by a monotone formula s.t.

  • Prop. I has size 20.994n using an extended basis of 2˜

Ω(2n) gates

  • Prop. II every gate in the basis is a monotone function that has

an efficient secret sharing scheme

Base gates [Liu-Vaikuntanathan-Wee’18]

We define slice functions, there are 2( n

n/2) of them and they have

secret scharing scheme with share size 2 ˜

O(√n).

slide-36
SLIDE 36

Our Approach

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

slide-37
SLIDE 37

Our Approach

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 20.994n depth: constant gates: ∧,∨, slice functions

slide-38
SLIDE 38

Our Approach

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c)n

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 20.994n depth: constant gates: ∧,∨, slice functions

slide-39
SLIDE 39

Our Approach

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c)n

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 2(1−c′)n depth: constant gates: ∧,∨,1×fat-slice func monotone formula size: 2(1−c)n depth: constant gates: ∧,∨, slice func

slide-40
SLIDE 40

Our Approach

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c)n

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 2(1−c′)n depth: constant gates: ∧,∨,1×fat-slice func monotone formula size: 2(1−c)n depth: constant gates: ∧,∨, slice func

slide-41
SLIDE 41

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot is the smallest monotone function that agrees with F on all input x that x < .49n. Ftop is the largest monotone function that agrees with F on all input x that x > .51n.

slide-42
SLIDE 42

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot is the smallest monotone function that agrees with F on all input x that x < .49n. Ftop is the largest monotone function that agrees with F on all input x that x > .51n.

slide-43
SLIDE 43

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Share size = 2(1−c)n Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot is the smallest monotone function that agrees with F on all input x that x < .49n. Ftop is the largest monotone function that agrees with F on all input x that x > .51n.

slide-44
SLIDE 44

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Share size = 2(1−c)n Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot is the smallest monotone function that agrees with F on all input x that x < .49n. Ftop is the largest monotone function that agrees with F on all input x that x > .51n.

slide-45
SLIDE 45

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Share size = 2(1−c)n Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot is the smallest monotone function that agrees with F on all input x that x < .49n. Ftop is the largest monotone function that agrees with F on all input x that x > .51n.

slide-46
SLIDE 46

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Share size = 2(1−c)n Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot is the smallest monotone function that agrees with F on all input x that x < .49n. Ftop is the largest monotone function that agrees with F on all input x that x > .51n.

slide-47
SLIDE 47

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop as the following: Fbot(x) =

  • y s.t.

y<.49n F(y)=1

1x≥y =

  • y s.t.

y<.49n F(y)=1

  • i,yi=1

xi Fmid(x) =      0, if x < .49n F(x), if x ≈ .5n 1, if x > .51n Fmid is a fat-slice function. Share size = 2(1−c)n Ftop(x) =

  • y s.t.

y>.51n F(y)=0

1x≤y =

  • y s.t.

y>.51n F(y)=0

  • i,yi=0

xi Fbot,Ftop has monotone formula of size 2h(.49)·n = 2(1−c′)n = ⇒ Share size = 2(1−c′)n

slide-48
SLIDE 48

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: Fbot(x) Fmid(x) Ftop(x) x < .49n = F(x) = 0 ≥ F(x) x ∈ [.49n,.51n] ≤ F(x) = F(x) x > .51n = 1 = F(x) ◮ F(x) = Majority(Fbot(x),Fmid(x),Ftop(x))

slide-49
SLIDE 49

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: Fbot(x) Fmid(x) Ftop(x) x < .49n = F(x) = 0 ≥ F(x) x ∈ [.49n,.51n] ≤ F(x) = F(x) x > .51n = 1 = F(x) ◮ F(x) = Majority(Fbot(x),Fmid(x),Ftop(x))

slide-50
SLIDE 50

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: Fbot(x) Fmid(x) Ftop(x) x < .49n = F(x) = 0 ≥ F(x) x ∈ [.49n,.51n] ≤ F(x) = F(x) x > .51n = 1 = F(x) ◮ F(x) = (Fbot(x)∨Fmid(x))∧Ftop(x)

slide-51
SLIDE 51

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: ◮ Fmid lays in “a fat slice” [49%,51%] = ⇒ Share size of Fmid = 2(1−c)n ◮ Fbot,Ftop computed by size-2h(.49)·n formula = ⇒ Share size of Fbot,Ftop = 2(1−c′)n ◮ F(x) = Fbot(x)∨Fmid(x)∧Ftop(x) = ⇒ Share size of F = 2(1−c)n +2·2(1−c′)n = O(2max(1−c,1−c′)n)

slide-52
SLIDE 52

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: ◮ Fmid lays in “a fat slice” [49%,51%] = ⇒ Share size of Fmid = 2(1−c)n ◮ Fbot,Ftop computed by size-2h(.49)·n formula = ⇒ Share size of Fbot,Ftop = 2(1−c′)n ◮ F(x) = Fbot(x)∨Fmid(x)∧Ftop(x) = ⇒ Share size of F = 2(1−c)n +2·2(1−c′)n = O(2max(1−c,1−c′)n)

slide-53
SLIDE 53

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: ◮ Fmid lays in “a fatter slice” [40%,60%] = ⇒ Share size of Fmid = 2(1−c)n ◮ Fbot,Ftop computed by size-2h(.49)·n formula = ⇒ Share size of Fbot,Ftop = 2(1−c′)n ◮ F(x) = Fbot(x)∨Fmid(x)∧Ftop(x) = ⇒ Share size of F = 2(1−c)n +2·2(1−c′)n = O(2max(1−c,1−c′)n)

slide-54
SLIDE 54

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: ◮ Fmid lays in “a fatter slice” [40%,60%] = ⇒ Share size of Fmid = 2(1−c)n increase↑↑ ◮ Fbot,Ftop computed by size-2h(.49)·n formula = ⇒ Share size of Fbot,Ftop = 2(1−c′)n ◮ F(x) = Fbot(x)∨Fmid(x)∧Ftop(x) = ⇒ Share size of F = 2(1−c)n +2·2(1−c′)n = O(2max(1−c,1−c′)n)

slide-55
SLIDE 55

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: ◮ Fmid lays in “a fatter slice” [40%,60%] = ⇒ Share size of Fmid = 2(1−c)n increase↑↑ ◮ Fbot,Ftop computed by size-2h(.4)·n formula = ⇒ Share size of Fbot,Ftop = 2(1−c′)n ◮ F(x) = Fbot(x)∨Fmid(x)∧Ftop(x) = ⇒ Share size of F = 2(1−c)n +2·2(1−c′)n = O(2max(1−c,1−c′)n)

slide-56
SLIDE 56

Fat-Slice Functions = ⇒ All Monotone Functions

Let F be any monotone function. Define Fbot,Fmid,Ftop such that: ◮ Fmid lays in “a fatter slice” [40%,60%] = ⇒ Share size of Fmid = 2(1−c)n increase↑↑ ◮ Fbot,Ftop computed by size-2h(.4)·n formula = ⇒ Share size of Fbot,Ftop = 2(1−c′)n decrease↓↓ ◮ F(x) = Fbot(x)∨Fmid(x)∧Ftop(x) = ⇒ Share size of F = 2(1−c)n +2·2(1−c′)n = O(2max(1−c,1−c′)n)

slide-57
SLIDE 57

To Summarize

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c′)n

Monotone Functions

all monotone F Share size = 2(1−c)n monotone formula F(x) = Fbot(x)∨Fmid(x)∧Ftop(x)

slide-58
SLIDE 58

To Summarize

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c′)n

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 20.994n depth: constant gates: ∧,∨, slice functions

slide-59
SLIDE 59

To Summarize

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c′)n

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 20.994n depth: constant gates: ∧,∨, slice functions Previous Work [LVW’18] Our Result

slide-60
SLIDE 60

To Summarize

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c′)n

Monotone Functions

all monotone F Share size = 20.994n monotone formula size: 20.994n depth: constant gates: ∧,∨, slice functions

slide-61
SLIDE 61

To Summarize

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c′)n

Monotone Functions

all monotone F Share size = 20.1n monotone formula size: 20.1n depth: constant gates: ∧,∨, slice functions

Open Problem!

slide-62
SLIDE 62

To Summarize

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = 2 ˜

O(√n)

Fat-Slice Functions

all F such that x > .51n ⇒ F(x) = 1 x < .49n ⇒ F(x) = 0 Share size = 2(1−c′)n

Monotone Functions

all monotone F Share size = 2 ˜

O(√n)

monotone formula size: 2 ˜

O(√n)

depth: constant gates: ∧,∨, slice functions

Open Problem!

slide-63
SLIDE 63

To Summarize (Linear Secret Sharing)

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = ˜ Θ(2n/2)

Monotone Functions

all monotone F Share size = 20.999n monotone formula size: 20.999n depth: constant gates: ∧,∨, 20.499×slice functions

slide-64
SLIDE 64

To Summarize (Linear Secret Sharing)

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = ˜ Θ(2n/2) (tight)

Monotone Functions

all monotone F Share size = 20.999n monotone formula size: 20.999n depth: constant gates: ∧,∨, 20.499×slice functions

slide-65
SLIDE 65

To Summarize (Linear Secret Sharing)

Slice Functions

all F such that x > n/2 = ⇒ F(x) = 1 x < n/2 = ⇒ F(x) = 0 #functions = 2( n

n/2)

Share size = ˜ Θ(2n/2) (tight)

Monotone Functions

all monotone F Share size = 20.999n

Corollary: Monotone Span Program Complexity

Every monotone F has a monotone span program of size 20.999n.

slide-66
SLIDE 66

To Summarize

Secret sharing for any monotone function: Ω(n2/logn) ˜ O(2n)

slide-67
SLIDE 67

To Summarize

Secret sharing for any monotone function: Ω(n2/logn) ˜ O(2n) Linear secret sharing for any monotone function: ˜ Ω(2n/2) ˜ O(2n)

slide-68
SLIDE 68

To Summarize

Secret sharing for any monotone function: Ω(n2/logn) 20.994n ˜ O(2n) Linear secret sharing for any monotone function: ˜ Ω(2n/2) 20.999n ˜ O(2n)

slide-69
SLIDE 69

To Summarize

Secret sharing for any monotone function: Ω(n2/logn) 20.994n ˜ O(2n) Linear secret sharing for any monotone function: ˜ Ω(2n/2) 20.999n ˜ O(2n)

slide-70
SLIDE 70

To Summarize

All Monotone Functions

∀F has a secret sharing scheme with share size 20.994n. ∀F has a linear secret sharing scheme with share size 20.999n.

slide-71
SLIDE 71

To Summarize

All Monotone Functions

∀F has a secret sharing scheme with share size 20.994n. ∀F has a linear secret sharing scheme with share size 20.999n.

Slice Functions [LVW’18,BKN’18]

Every slice function (there are 2( n

n/2) of them) has a secret sharing

scheme with share size 2 ˜

O(√n).

slide-72
SLIDE 72

To Summarize

All Monotone Functions

∀F has a secret sharing scheme with share size 20.994n. ∀F has a linear secret sharing scheme with share size 20.999n.

Slice Functions [LVW’18,BKN’18]

Every slice function (there are 2( n

n/2) of them) has a secret sharing

scheme with share size 2 ˜

O(√n).

C A

D,s i1,s i2,s in,s D,i Multi-party CDS

[LVW’18]

slide-73
SLIDE 73

To Summarize

All Monotone Functions

∀F has a secret sharing scheme with share size 20.994n. ∀F has a linear secret sharing scheme with share size 20.999n.

Slice Functions [LVW’18,BKN’18]

Every slice function (there are 2( n

n/2) of them) has a secret sharing

scheme with share size 2 ˜

O(√n).

C A

D,s i1,s i2,s in,s D,i Multi-party CDS

[LVW’18]

C A B

D,s i,s D,i 2-party CDS

[LVW’17]

slide-74
SLIDE 74

To Summarize

All Monotone Functions

∀F has a secret sharing scheme with share size 20.994n. ∀F has a linear secret sharing scheme with share size 20.999n.

Slice Functions [LVW’18,BKN’18]

Every slice function (there are 2( n

n/2) of them) has a secret sharing

scheme with share size 2 ˜

O(√n).

C A

D,s i1,s i2,s in,s D,i Multi-party CDS

[LVW’18]

C A B

D,s i,s D,i 2-party CDS

[LVW’17]

D D i 2-server PIR

[Yek’08,Efr’09,DG’15]

slide-75
SLIDE 75

To Summarize

All Monotone Functions

∀F has a secret sharing scheme with share size 20.994n. ∀F has a linear secret sharing scheme with share size 20.999n.

Slice Functions [LVW’18,BKN’18]

Every slice function (there are 2( n

n/2) of them) has a secret sharing

scheme with share size 2 ˜

O(√n).

C A

D,s i1,s i2,s in,s D,i Multi-party CDS

[LVW’18]

C A B

D,s i,s D,i 2-party CDS

[LVW’17]

D D i 2-server PIR

[Yek’08,Efr’09,DG’15] Matching Vectors, OR-poly [BBR’94]