Communication Complexity of Private Simultaneous Messages, Revisited - - PowerPoint PPT Presentation

Communication Complexity of Private Simultaneous Messages, Revisited

Manoj Mishra

Department of Electrical Engineering - Systems Tel Aviv University

Joint work with Benny Applebaum (TAU), Thomas Holenstein (Google), Ofer Shayevitz (TAU)

Information-Theoretic Secure Function Evaluation

• Users are computationally unbounded.

Information-Theoretic Secure Function Evaluation

• Users are computationally unbounded.
• Completeness results: Any function can be computed, under various

adversarial settings.

Information-Theoretic Secure Function Evaluation

• Users are computationally unbounded.
• Completeness results: Any function can be computed, under various

adversarial settings.

• Big Open Problem: What is the Communication Complexity of

unconditionally secure function evaluation

• in general (worst case) ?
• for explicit functions ?

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

x y

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

x y f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

x y f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

x y f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness
• Perfect privacy: doesn’t learn x, y

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness
• Perfect privacy: doesn’t learn x, y

x, R y, R

• R ∈ {0, 1}∗

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness
• Perfect privacy: doesn’t learn x, y

x, R y, R

• R ∈ {0, 1}∗

MA MB

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Minimal model for secure computation

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Minimal model for secure computation
• Closely related to: Randomized Encodings/Garbled Circuits, Functional

Encryption, Conditional Disclosure of Secrets(C.D.S.)

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Communication upper bound:

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Communication upper bound:
• For any f : O(2k/2) (Beimel et al., TCC, 2014)

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Communication upper bound:
• For any f : O(2k/2) (Beimel et al., TCC, 2014)
• Polynomial in formula-size of f (FKN, STOC 1994)

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Communication upper bound:
• For any f : O(2k/2) (Beimel et al., TCC, 2014)
• Polynomial in formula-size of f (FKN, STOC 1994)
• Communication lower bound: 3k − O(1) (FKN, STOC 1994)

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Communication upper bound:
• For any f : O(2k/2) (Beimel et al., TCC, 2014)
• Polynomial in formula-size of f (FKN, STOC 1994)
• Communication lower bound: 3k − O(1) (FKN, STOC 1994)
• f random

Private Simultaneous Messages (P.S.M.) (Feige,Kilian,Naor, STOC, 1994)

A B C

• x, y ∈ {0, 1}k

f (x, y)

• f : {0, 1}k × {0, 1}k → {0, 1}
• Pefect correctness

x, R y, R

• R ∈ {0, 1}∗

MA MB

• Perfect privacy: (MA, MB) ∼ Mz
• Communication upper bound:
• For any f : O(2k/2) (Beimel et al., TCC, 2014)
• Polynomial in formula-size of f (FKN, STOC 1994)
• Communication lower bound: 3k − O(1) (FKN, STOC 1994)
• f random
• Weak Privacy : hide the last bit of x

P.S.M : Questions

A B C x, R y, R MA MB f (x, y) Q1. How do we improve the lowerbound, even for non-explicit functions ?

P.S.M : Questions

A B C x, R y, R MA MB f (x, y) Q1. How do we improve the lowerbound, even for non-explicit functions ? Q2. How do we get non-trivial lowerbounds for explicit functions ?

P.S.M : Questions

A B C x, R y, R MA MB f (x, y) Q1. How do we improve the lowerbound, even for non-explicit functions ? Q2. How do we get non-trivial lowerbounds for explicit functions ?

• Q3. What combinatorial/algebraic properties of a function make it expensive

(in communication) to compute securely ?

Main Results

• Counterexample to FKN’s Lowerbound:
• reveals a gap in the proof.
• original proof: works for weak privacy + revealing non-private inputs.

Main Results

• Counterexample to FKN’s Lowerbound:
• reveals a gap in the proof.
• original proof: works for weak privacy + revealing non-private inputs.
• New proof of a lowerbound:
• in terms of combinatorial properties of f : X × Y → Z.
• Corollary : for a random f , PSM(f ) ≥ 3k − O(log k).

Main Results

• Counterexample to FKN’s Lowerbound:
• reveals a gap in the proof.
• original proof: works for weak privacy + revealing non-private inputs.
• New proof of a lowerbound:
• in terms of combinatorial properties of f : X × Y → Z.
• Corollary : for a random f , PSM(f ) ≥ 3k − O(log k).
• Lowerbound for explicit boolean functions:
• ∃ poly-sized circuit family {fk} of boolean functions with

PSM(fk) ≥ 3k − O(log k).

• Partially resolves an open problem from Data, Prabhakaran, Prabhakaran

(CRYPTO, 2014).

Main Results

• Counterexample to FKN’s Lowerbound:
• reveals a gap in the proof.
• original proof: works for weak privacy + revealing non-private inputs.
• New proof of a lowerbound:
• in terms of combinatorial properties of f : X × Y → Z.
• Corollary : for a random f , PSM(f ) ≥ 3k − O(log k).
• Lowerbound for explicit boolean functions:
• ∃ poly-sized circuit family {fk} of boolean functions with

PSM(fk) ≥ 3k − O(log k).

• Partially resolves an open problem from Data, Prabhakaran, Prabhakaran

(CRYPTO, 2014).

• Lowerbounds extend to imperfect P.S.M.s.

Main Results

• Counterexample to FKN’s Lowerbound:
• reveals a gap in the proof.
• original proof: works for weak privacy + revealing non-private inputs.
• New proof of a lowerbound:
• in terms of combinatorial properties of f : X × Y → Z.
• Corollary : for a random f , PSM(f ) ≥ 3k − O(log k).
• Lowerbound for explicit boolean functions:
• ∃ poly-sized circuit family {fk} of boolean functions with

PSM(fk) ≥ 3k − O(log k).

• Partially resolves an open problem from Data, Prabhakaran, Prabhakaran

(CRYPTO, 2014).

• Lowerbounds extend to imperfect P.S.M.s.
• Applications:
• First explicit lowerbounds for Conditional Disclosure of Secret (C.D.S).
• Tight lowerbound for inner-product predicate.

Revisiting P.S.M. Lowerbound

A B C x, R y, R MA MB f (x, y)

• x,y∈ {0, 1}k
• f : {0, 1}k × {0, 1}k → {0, 1}
• R ∈ {0, 1}∗

Theorem (FKN’s Lowerbound)

If f satisfies three requirements, then perfect correctness and weak privacy requires PSM(f ) ≥ 3k − O(1).

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1

r1

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1

r1 r2

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1

r1 r2

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Communication: log |MA| + log |MB|

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Mechanism:

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Mechanism:

• Lowerbound number of r’s

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Mechanism:

• Lowerbound number of r’s
• Lowerbound size of each image set

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Mechanism:

• Lowerbound number of r’s
• Lowerbound size of each image set
• Upperbound size of overlap between

two image sets

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Assumption 1 on f :

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Assumption 1 on f :

• f non-degenerate:

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Assumption 1 on f :

• f non-degenerate:
• x = x′ ⇒ f (x, ·) = f (x′, ·)

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Assumption 1 on f :

• f non-degenerate:
• x = x′ ⇒ f (x, ·) = f (x′, ·)
• Simarly for y = y ′

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Assumption 1 on f :

• f non-degenerate:
• x = x′ ⇒ f (x, ·) = f (x′, ·)
• Simarly for y = y ′

Consequence:

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Assumption 1 on f :

• f non-degenerate:
• x = x′ ⇒ f (x, ·) = f (x′, ·)
• Simarly for y = y ′

Consequence:

• r is one-to-one

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

• f (x, y) = f (x, y)

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

• f (x, y) = f (x, y)
• x : x with last bit inverted

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

• f (x, y) = f (x, y)
• x : x with last bit inverted

Assumption 2 on f :

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

• f (x, y) = f (x, y)
• x : x with last bit inverted

Assumption 2 on f :

• Half of the edges are useful

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

• f (x, y) = f (x, y)
• x : x with last bit inverted

Assumption 2 on f :

• Half of the edges are useful

Consequence:

Revisiting P.S.M. Lowerbound

x1 x2 xK y1 y2 yK X Y · · · ·

1 1 1

a1 a2 . . . . . . aJ b1 b2 . . . . . . . bL MA MB

1 1 1 1 1 1 1 1 1

r1 r2 r3 Useful Edge (x, y):

• f (x, y) = f (x, y)
• x : x with last bit inverted

Assumption 2 on f :

• Half of the edges are useful

Consequence:

• Image set has half of f ’s edges

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r

X ′ ◦ 0 X ′ ◦ 1 Y

Complementary Similar Rectangles Truth Table of f

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r

X ′ ◦ 0 X ′ ◦ 1 Y

Complementary Similar Rectangles Assumption 3 on f : Size ≤ 2 · 2k Truth Table of f

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r Unaccounted Overlaps a b x r ˜ x ˜ r y r ˜ y ˜ r

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r Unaccounted Overlaps a b x r ˜ x ˜ r y r ˜ y ˜ r Implication:

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r Unaccounted Overlaps a b x r ˜ x ˜ r y r ˜ y ˜ r Implication:

• Reveal all inputs not required to be private.

Revisiting P.S.M. Lowerbound

Trivial Overlaps a b x r ˜ r y r ˜ r Non-trivial Overlaps a b x r x ˜ r y r ˜ r Unaccounted Overlaps a b x r ˜ x ˜ r y r ˜ y ˜ r Implication:

• Reveal all inputs not required to be private.
• Potentially higher communication cost

Counterexample to P.S.M. Lowerbound

f (x, y) = < L(x), y >, L(x) := T0 · x[1 : k − 1] ◦ 0, x[k] = 0 T1 · x[1 : k − 1] ◦ 1, x[k] = 1

• ,

T0, T1, T0 + T1 : full rank

Counterexample to P.S.M. Lowerbound

f (x, y) = < L(x), y >, L(x) := T0 · x[1 : k − 1] ◦ 0, x[k] = 0 T1 · x[1 : k − 1] ◦ 1, x[k] = 1

• ,

T0, T1, T0 + T1 : full rank A B C x, R y, R

Counterexample to P.S.M. Lowerbound

f (x, y) = < L(x), y >, L(x) := T0 · x[1 : k − 1] ◦ 0, x[k] = 0 T1 · x[1 : k − 1] ◦ 1, x[k] = 1

• ,

T0, T1, T0 + T1 : full rank A B C x, R y, R L(x)

Counterexample to P.S.M. Lowerbound

f (x, y) = < L(x), y >, L(x) := T0 · x[1 : k − 1] ◦ 0, x[k] = 0 T1 · x[1 : k − 1] ◦ 1, x[k] = 1

• ,

T0, T1, T0 + T1 : full rank A B C x, R y, R L(x)

• PSM for < ·, · >

Counterexample to P.S.M. Lowerbound

f (x, y) = < L(x), y >, L(x) := T0 · x[1 : k − 1] ◦ 0, x[k] = 0 T1 · x[1 : k − 1] ◦ 1, x[k] = 1

• ,

T0, T1, T0 + T1 : full rank A B C x, R y, R L(x)

• PSM for < ·, · >

MA MB

< L(x), y >

Counterexample to P.S.M. Lowerbound

f (x, y) = < L(x), y >, L(x) := T0 · x[1 : k − 1] ◦ 0, x[k] = 0 T1 · x[1 : k − 1] ◦ 1, x[k] = 1

• ,

T0, T1, T0 + T1 : full rank A B C x, R y, R L(x)

• PSM for < ·, · >

MA MB

< L(x), y >

• Communication: 2k + 2 bits

New Proof for a Communication Lowerbound

A B C

• x ∈ X, y ∈ Y, R ∈ {0, 1}∗

x, R y, R MA MB f (x, y)

• f : X × Y → Z
• Pefect correctness
• Perfect privacy

Key idea of the proof

x0 x1 . xJ y0 y1 . . yK X Y a0 a1 a2 . . . a ˜

J

b0 b1 b2 . . b ˜

K

MA MB

Key idea of the proof

x0 x1 . xJ y0 y1 . . yK X Y a0 a1 a2 . . . a ˜

J

b0 b1 b2 . . b ˜

K

MA MB µ ∽ X × Y

Key idea of the proof

x0 x1 . xJ y0 y1 . . yK X Y a0 a1 a2 . . . a ˜

J

b0 b1 b2 . . b ˜

K

MA MB µ ∽ X × Y (X, Y )

Key idea of the proof

x0 x1 . xJ y0 y1 . . yK X Y a0 a1 a2 . . . a ˜

J

b0 b1 b2 . . b ˜

K

MA MB µ ∽ X × Y (X, Y ) R

Key idea of the proof

x0 x1 . xJ y0 y1 . . yK X Y a0 a1 a2 . . . a ˜

J

b0 b1 b2 . . b ˜

K

MA MB µ ∽ X × Y (X, Y ) (X ′, Y ′) R

Key idea of the proof

x0 x1 . xJ y0 y1 . . yK X Y a0 a1 a2 . . . a ˜

J

b0 b1 b2 . . b ˜

K

MA MB µ ∽ X × Y (X, Y ) (X ′, Y ′) R R′

Main Result

Theorem

Let f : X × Y → Z be non-degenerate and let µ be a distribution on X × Y. Then, PSM(f ) ≥ log(1/α(µ)) + H∞(µ) − log(1/β(µ)) − 1.

Main Result

Theorem

Let f : X × Y → Z be non-degenerate and let µ be a distribution on X × Y. Then, PSM(f ) ≥ log(1/α(µ)) + H∞(µ) − log(1/β(µ)) − 1. α(µ) := Volume of disjoint, Similar Rectangles := max

(R1,R2: similar, disjoint) {min(µ(R1), µ(R2))}

R1 R2 X Y Truth Table of f

Main Result

Theorem

Let f : X × Y → Z be non-degenerate and let µ be a distribution on X × Y. Then, PSM(f ) ≥ log(1/α(µ)) + H∞(µ) − log(1/β(µ)) − 1. H∞(µ) := Min. Entropy of µ

Main Result

Theorem

Let f : X × Y → Z be non-degenerate and let µ be a distribution on X × Y. Then, PSM(f ) ≥ log(1/α(µ)) + H∞(µ) − log(1/β(µ)) − 1. β(µ) := Volume of Useful Edges := Pr[(X, Y ) = (X ′, Y ′)|f (X, Y ) = f (X ′, Y ′)]

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3.

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3. M := max

(R1,R2: similar, disjoint)|R1|

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3.

Proof.

Use µ : uniform distribution.

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3.

Corollary (Random function)

For a random, boolean f : {0, 1}k × {0, 1}k → {0, 1}, w.h.p., PSM(f ) ≥ 3k − 2 log k − 1.

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3.

Corollary (Random function)

For a random, boolean f : {0, 1}k × {0, 1}k → {0, 1}, w.h.p., PSM(f ) ≥ 3k − 2 log k − 1.

Proof.

W.h.p., M ≤ k2 · 2k.

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3.

Corollary (Random function)

For a random, boolean f : {0, 1}k × {0, 1}k → {0, 1}, w.h.p., PSM(f ) ≥ 3k − 2 log k − 1.

Theorem (Explicit functions)

∃

• fk : {0, 1}k × {0, 1}k → {0, 1}
• k for which PSM(fk) ≥ 3k − O(log k)

Special cases

Theorem (Boolean function)

For non-degenerate f : X × Y → {0, 1}, PSM(f ) ≥ 2(log |X| + log |Y|) − log M − 3.

Corollary (Random function)

For a random, boolean f : {0, 1}k × {0, 1}k → {0, 1}, w.h.p., PSM(f ) ≥ 3k − 2 log k − 1.

Theorem (Explicit functions)

∃

• fk : {0, 1}k × {0, 1}k → {0, 1}
• k for which PSM(fk) ≥ 3k − O(log k)

Proof.

Suffices to sample fk from poly(k)-wise independent distribution.

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y
• s ∈ {0, 1}

(x, y) x, s y

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y

y s iff h(x, y) = 1 (x, y) x, s

• s ∈ {0, 1}
• h : X × Y → {0, 1}

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y

y x, s

• s ∈ {0, 1}
• h : X × Y → {0, 1}

s iff h(x, y) = 1 (x, y)

• Pefect correctness
• Perfect privacy

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y
• s ∈ {0, 1}
• h : X × Y → {0, 1}

s iff h(x, y) = 1 (x, y)

• Pefect correctness
• Perfect privacy

x, s, R y, R

• R ∈ {0, 1}∗

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y
• s ∈ {0, 1}
• h : X × Y → {0, 1}

s iff h(x, y) = 1 (x, y)

• Pefect correctness
• Perfect privacy

x, s, R y, R

• R ∈ {0, 1}∗

MA MB

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y
• s ∈ {0, 1}
• h : X × Y → {0, 1}

s iff h(x, y) = 1 (x, y)

• Pefect correctness
• Perfect privacy

x, s, R y, R

• R ∈ {0, 1}∗

MA MB

• Useful applications: unconditionally private information retrieval (P.I.R.),

priced O.T., secret sharing for graph-based access structures, attribute-based encryption

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y
• s ∈ {0, 1}
• h : X × Y → {0, 1}

s iff h(x, y) = 1 (x, y)

• Pefect correctness
• Perfect privacy

x, s, R y, R

• R ∈ {0, 1}∗

MA MB

• Communication lowerbound :
• Ω(log k) for several explicit predicates (Gay et al., CRYPTO, 2015)

Conditional Disclosure of a Secret (C.D.S.)

A B C

• x ∈ X, y ∈ Y
• s ∈ {0, 1}
• h : X × Y → {0, 1}

s iff h(x, y) = 1 (x, y)

• Pefect correctness
• Perfect privacy

x, s, R y, R

• R ∈ {0, 1}∗

MA MB

• Communication lowerbound :
• Ω(log k) for several explicit predicates (Gay et al., CRYPTO, 2015)
• k − o(k) for some non-explicit predicate (Applebaum et al., CRYPTO,

2017)

C.D.S. Lowerbound

Theorem

For predicate h : X × Y → {0, 1}, CDS(h) ≥ 2 log |h−1(0)| − log M − log |X| − log |Y| − 1 .

C.D.S. Lowerbound

Theorem

For predicate h : X × Y → {0, 1}, CDS(h) ≥ 2 log |h−1(0)| − log M − log |X| − log |Y| − 1 . |h−1(0)| := Number of 0-inputs of h

C.D.S. Lowerbound

Theorem

For predicate h : X × Y → {0, 1}, CDS(h) ≥ 2 log |h−1(0)| − log M − log |X| − log |Y| − 1 . M := Size of largest 0-monochromatic rectangle of h All 0’s X Y Truth Table of h

C.D.S. Lowerbound : Special Cases

Corollary (CDS for Inner Product)

For predicate h(x, y) =< x, y >, x, y ∈ {0, 1}k, CDS(h) ≥ k − 3 − o(1).

C.D.S. Lowerbound : Special Cases

Corollary (CDS for Inner Product)

For predicate h(x, y) =< x, y >, x, y ∈ {0, 1}k, CDS(h) ≥ k − 3 − o(1). Remarks:

• Tight bound.
• Previous bound: Ω(log k).

C.D.S. Lowerbound : Special Cases

Corollary (CDS for Inner Product)

For predicate h(x, y) =< x, y >, x, y ∈ {0, 1}k, CDS(h) ≥ k − 3 − o(1). Remarks:

• Tight bound.
• Previous bound: Ω(log k).

Corollary (CDS for Random predicate)

For a random predicate h : {0, 1}k × {0, 1}k → {0, 1}, w.h.p., CDS(h) ≥ k − 4 − o(1).

Summary

We revisited the P.S.M. lowerbound of Feige, Kilian, Naor(FKN) (STOC, 1994) and proved the following results:

Summary

We revisited the P.S.M. lowerbound of Feige, Kilian, Naor(FKN) (STOC, 1994) and proved the following results:

• Counterexample: an f whose P.S.M. communicates only 2k + 2 bits.

Summary

We revisited the P.S.M. lowerbound of Feige, Kilian, Naor(FKN) (STOC, 1994) and proved the following results:

• Counterexample: an f whose P.S.M. communicates only 2k + 2 bits.
• New proof: leads to a 3k − O(log k) lowerbound for a random function.

Summary

We revisited the P.S.M. lowerbound of Feige, Kilian, Naor(FKN) (STOC, 1994) and proved the following results:

• Counterexample: an f whose P.S.M. communicates only 2k + 2 bits.
• New proof: leads to a 3k − O(log k) lowerbound for a random function.
• Lowerbound for explicit functions: existance of a poly-sized circuit family

{fk}k with lowerbound of {3k − O(log k)}k.

Summary

We revisited the P.S.M. lowerbound of Feige, Kilian, Naor(FKN) (STOC, 1994) and proved the following results:

• Counterexample: an f whose P.S.M. communicates only 2k + 2 bits.
• New proof: leads to a 3k − O(log k) lowerbound for a random function.
• Lowerbound for explicit functions: existance of a poly-sized circuit family

{fk}k with lowerbound of {3k − O(log k)}k.

• C.D.S. lowerbound: simple combinatorial criterion for establishing linear

Ω(k) lowerbounds, tight lowerbound for inner product predicate.