Closure, Amortization, Lower-bounds, and Separations Benny - - PowerPoint PPT Presentation

β–Ά
closure amortization lower bounds and
SMART_READER_LITE
LIVE PREVIEW

Closure, Amortization, Lower-bounds, and Separations Benny - - PowerPoint PPT Presentation

May 11, 2023 246 likes β€’398 views

Conditional Disclosure of Secrets: Amplification, Closure, Amortization, Lower-bounds, and Separations Benny Applebaum Barak Arkis Pavel Raykov Prashant Nalini Vasudevan Conditional Disclosure of Secrets [GIKM00] : 0,1 0,1

slide-1
SLIDE 1

Conditional Disclosure of Secrets: Amplification, Closure, Amortization, Lower-bounds, and Separations

Benny Applebaum Barak Arkis Pavel Raykov Prashant Nalini Vasudevan

slide-2
SLIDE 2

Conditional Disclosure of Secrets [GIKM00]

A 𝑔: 0,1 π‘œ Γ— 0,1 π‘œ β†’ {0,1} C B 𝑦 𝑧

Randomness 𝑠 Secret 𝑑

𝑛𝐡 𝑛𝐢 𝑦, 𝑧 𝜺-Correctness: If 𝑔 𝑦, 𝑧 = 1, then for any 𝑑, Pr 𝐷 𝑦, 𝑧, 𝑛𝐡, 𝑛𝐢 = 𝑑 > 1 βˆ’ Ξ΄ 𝝑-Privacy: If 𝑔 𝑦, 𝑧 = 0, then for any 𝑑, Ξ” 𝑇𝑗𝑛 𝑦, 𝑧 ; 𝑛𝐡, 𝑛𝐢 < πœ— Communication: 𝑛𝐡 + |𝑛𝐢| Randomness: |𝑠|

slide-3
SLIDE 3

Connections and Applications

  • Attribute-Based Encryption. [Att14,Wee14]
  • Secret-sharing for certain graph-based access structures.
  • Light-weight alternative to zero-knowledge proofs in some settings. [AIR01]
  • Data privacy in information-theoretic PIR. [GIKM00]
  • A minimal model of multi-party computation.
slide-4
SLIDE 4

What Was Known Earlier

Upper bounds:

  • Communication 2𝑃( π‘œ log π‘œ) for any predicate on π‘œ-bit inputs. [LVW17]
  • Communication 𝑃(𝜏) for predicates with size-𝜏 branching programs or span
  • programs. [IW14,AR16]

Lower bounds:

  • Explicit predicate that requires Ξ©(log π‘œ) bits of communication. [GKW15]
  • Same predicate requires Ξ©

π‘œ bits for linear CDS. [GKW15]

slide-5
SLIDE 5

Distribution of (𝑛𝐡, 𝑛𝐢):

  • input (𝑦, 𝑧), 𝑑 = 0: 𝑛𝐡, 𝑛𝐢 𝑦,𝑧
  • input (𝑦, 𝑧), 𝑑 = 1: 𝑛𝐡, 𝑛𝐢 𝑦,𝑧

1

CDS and Statistical Difference

A C B 𝑦 𝑧

Randomness 𝑠 Secret 𝑑

𝑛𝐡 𝑛𝐢 𝑦, 𝑧 𝜺-Correctness: If 𝑔 𝑦, 𝑧 = 1, then for any 𝑑, Pr 𝐷 𝑦, 𝑧, 𝑛𝐡, 𝑛𝐢 = 𝑑 > 1 βˆ’ Ξ΄ ≑ Ξ” 𝑛𝐡, 𝑛𝐢 𝑦,𝑧 ; 𝑛𝐡, 𝑛𝐢 𝑦,𝑧

1

> 1 βˆ’ 2πœ€ 𝝑-Privacy: If 𝑔 𝑦, 𝑧 = 0, then for any 𝑑, Ξ” 𝑇𝑗𝑛 𝑦, 𝑧 ; 𝑛𝐡, 𝑛𝐢 < πœ— ≑ Ξ” 𝑛𝐡, 𝑛𝐢 𝑦,𝑧 ; 𝑛𝐡, 𝑛𝐢 𝑦,𝑧

1

< 2πœ—

slide-6
SLIDE 6

Separations

Explicit function π‘„π·π‘π‘š: 0,1 4n log π‘œ Γ— 0,1 2n log π‘œ β†’ 0,1 that has:

  • CDS complexity: 𝑃(log π‘œ)
  • Randomized communication complexity: Ξ©(π‘œ1/3)
  • Linear CDS complexity: Ξ©(π‘œ1/6)

Inspired by oracle separations between SZK and other classes [Aar12], and the Pattern Matrix method [She11].

slide-7
SLIDE 7

Collision Problems

𝑨 β„Žπ‘¨: 0,1 log π‘œ β†’ 0,1 log π‘œ β„Žπ‘¨ 𝑗 = π‘—π‘’β„Ž block in 𝑨

π‘œ log π‘œ log π‘œ π‘œ blocks

π·π‘π‘š 𝑨 = ቐ 0 if β„Žπ‘¨ is 1βˆ’toβˆ’1 1 if β„Žπ‘¨ is 2βˆ’toβˆ’1 β‹… β‹… β‹… β‡’ β„Žπ‘¨(𝑗) is uniformly distributed β‡’ β„Žπ‘¨(𝑗) is far from uniform

slide-8
SLIDE 8

Collision Problems

0 0 1 0 1 0 1 0 0 1 1 1 1 0 0 1

π‘„π·π‘π‘š 𝑦, 𝑧 = π·π‘π‘š(𝑦 𝑧 ) 𝑆 π‘„π·π‘π‘š > Ξ©(π‘œ1/3) ([Amb05,Kut05] + [She11]) 𝑦 𝑧 𝑦[𝑧] β‹… β‹… β‹… β‹… β‹… β‹… β‹… β‹… β‹…

3 2 2 4 1 1 1

4π‘œ log π‘œ π‘œ log π‘œ

linCDS π‘„π·π‘π‘š > Ξ©(π‘œ1/6) (left + [GKW15])

slide-9
SLIDE 9

Collision Problems

0 0 1 0 1 0 1 0 0 1 1 1 1 0 0 1

𝑧 𝑦[𝑧] β‹… β‹… β‹… β‹… β‹… β‹… β‹… β‹… β‹…

3 2 2 4 1 1 1

A B

log π‘œ π‘œ blocks

C Use PSM [FKN94] to send:

  • β„Žπ‘¦ 𝑧 (𝑗) if 𝑑 = 0
  • 𝑠 ← 0,1 log π‘œ if 𝑑 = 1

If π‘„π·π‘π‘š 𝑦, 𝑧 = 0, both are the same distribution, else they are far apart. 𝑦 𝑦, 𝑧 𝑗 𝑑

slide-10
SLIDE 10

Closure

CDS for each of

𝑔

1, … , 𝑔 𝑛

Comm: 𝑒1, … , 𝑒𝑛 Rand : 𝜍1, … , πœπ‘›

CDS for

β„Ž(𝑔

1, … , 𝑔 𝑛)

Comm: 𝜏 β‹… π‘žπ‘π‘šπ‘§(𝑒𝑗, πœπ‘—) Rand : 𝜏 β‹… π‘žπ‘π‘šπ‘§(𝑒𝑗, πœπ‘—) β„Ž - Boolean formula over 0,1 𝑛 of size 𝜏 Construction uses transformations for Statistical Difference [SV03,Oka96], and PSM protocols [FKN94].

slide-11
SLIDE 11

Amplification

CDS for 𝑔

𝑙-bit secret Corr: 2βˆ’Ξ©(𝑙) Priv: 2βˆ’Ξ©(𝑙) Comm: 𝑃(𝑙𝑒)

CDS for 𝑔

Single-bit secret Corr: 0.1 Priv: 0.1 Comm: 𝑒 Construction uses constant-rate ramp secret-sharing schemes [CCGdHV07]. Incomparable version follows from the Polarization Lemma [SV03].

slide-12
SLIDE 12

Lower Bound

There exists a predicate 𝑔: 0,1 π‘œ Γ— 0,1 π‘œ β†’ {0,1} for which any perfect (single-bit) CDS requires communication at least 0.99π‘œ. Proven by reduction to the PSM lower bound of [FKN94]. Earlier bound was explicit, Ξ©(log π‘œ) bits. [GKW15]

slide-13
SLIDE 13

Amortization

For any predicate 𝑔: 0,1 π‘œ Γ— 0,1 π‘œ β†’ {0,1} and 𝑛 > 222π‘œ, there is a perfect CDS protocol for 𝑔 with 𝑛-bit secrets with communication complexity 𝑃(π‘›π‘œ). Proven using techniques from the amortization of branching programs [Pot16]. 𝑛-fold repetition of best known general protocol [LVW17]: 𝑛 β‹… 2𝑃( π‘œ log π‘œ)

slide-14
SLIDE 14

Summary

We prove the following properties of CDS:

  • Lower Bounds: Non-explicit, Ξ©(π‘œ).
  • Separation: From insecure communication and linear CDS.
  • Amortization: 𝑃(π‘œ) per bit of secret, if there are more than 222π‘œ bits.
  • Closure: Under composition with formulas.
  • Amplification: Of correctness and privacy from constant to 2βˆ’Ξ©(𝑙) with

𝑃(𝑙) blowup. To note:

  • Connections with Statistical Difference and SZK.
  • Barriers to PSM lower bounds.