Towards Breaking the Exponential Barrier for General Secret Sharing - - PowerPoint PPT Presentation

towards breaking the exponential barrier for general
SMART_READER_LITE
LIVE PREVIEW

Towards Breaking the Exponential Barrier for General Secret Sharing - - PowerPoint PPT Presentation

Feb 21, 2023 157 likes •1.02k views

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod Vaikuntanathan Hoeteck Wee MIT MIT CNRS and ENS May 6, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret s { 0 , 1 }

slide-1
SLIDE 1

Towards Breaking the Exponential Barrier for General Secret Sharing

Tianren Liu MIT Vinod Vaikuntanathan MIT Hoeteck Wee CNRS and ENS May 6, 2018

slide-2
SLIDE 2

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

slide-3
SLIDE 3

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

slide-4
SLIDE 4

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

Can I reconstruct s?

share2 share3 share5

slide-5
SLIDE 5

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

Can I reconstruct s?

share2 share3 share5

Threshold Secret Sharing [Shamir’79] YES if I gets ≥ t shares; NO INFO if I gets < t shares.

slide-6
SLIDE 6

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

Can I reconstruct s?

share2 share3 share5

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} x4 ∈ {0,1} x5 ∈ {0,1} Threshold Secret Sharing [Shamir’79] YES if I gets ≥ t shares; NO INFO if I gets < t shares.

slide-7
SLIDE 7

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

Can I reconstruct s?

share2 share3 share5

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} x4 ∈ {0,1} x5 ∈ {0,1}

0: not send 1: send 1: send 0: not send 1: send

Threshold Secret Sharing [Shamir’79] YES if I gets ≥ t shares; NO INFO if I gets < t shares.

slide-8
SLIDE 8

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

Can I reconstruct s?

share2 share3 share5

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} x4 ∈ {0,1} x5 ∈ {0,1}

0: not send 1: send 1: send 0: not send 1: send

Threshold Secret Sharing [Shamir’79] YES if thresholdt(x1,...,xn) = 1; NO INFO if thresholdt(x1,...,xn) = 0.

slide-9
SLIDE 9

Secret Sharing [Blakley’79,Shamir’79,Ito-Saito-Nishizeki’87]

Secret s ∈ {0,1}

share1 share2 share3 share4 share5

Can I reconstruct s?

share2 share3 share5

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} x4 ∈ {0,1} x5 ∈ {0,1}

0: not send 1: send 1: send 0: not send 1: send

General Secret Sharing [ISN’89] monotone F : {0,1}n → {0,1} YES if F(x1,...,xn) = 1; NO INFO if F(x1,...,xn) = 0.

slide-10
SLIDE 10

Key Complexity Measure: Total Share Size

Best Known Secret Sharing Schemes

Share size ≤ O(monotone formula size) ≤ ˜ O(2n). [Benaloh-Leichter’88] Share size ≤ O(monotone span program size) ≤ ˜ O(2n).

[Karchmer-Wigderson’93]

slide-11
SLIDE 11

Key Complexity Measure: Total Share Size

Best Known Secret Sharing Schemes

Share size ≤ O(monotone formula size) ≤ ˜ O(2n). [Benaloh-Leichter’88] Share size ≤ O(monotone span program size) ≤ ˜ O(2n).

[Karchmer-Wigderson’93]

Lower Bounds

∃F that share size ≥ ˜ O(2n/2) for linear secret sharing. [KW’93] ∃F that total share size ≥ ˜ Ω(n2). [Csirmaz’97]

slide-12
SLIDE 12

Key Complexity Measure: Total Share Size

Best Known Secret Sharing Schemes

Share size ≤ O(monotone formula size) ≤ ˜ O(2n). [Benaloh-Leichter’88] Share size ≤ O(monotone span program size) ≤ ˜ O(2n).

[Karchmer-Wigderson’93]

Lower Bounds

∃F that share size ≥ ˜ O(2n/2) for linear secret sharing. [KW’93] ∃F that total share size ≥ ˜ Ω(n2). [Csirmaz’97]

Empirical Observation: In general secret sharing, share size grows (polynomially) on representation size.

slide-13
SLIDE 13

Key Complexity Measure: Total Share Size

Best Known Secret Sharing Schemes

Share size ≤ O(monotone formula size) ≤ ˜ O(2n). [Benaloh-Leichter’88] Share size ≤ O(monotone span program size) ≤ ˜ O(2n).

[Karchmer-Wigderson’93]

Lower Bounds

∃F that share size ≥ ˜ O(2n/2) for linear secret sharing. [KW’93] ∃F that total share size ≥ ˜ Ω(n2). [Csirmaz’97]

Empirical Observation: In general secret sharing, share size grows (polynomially) on representation size.

Representation Size Barrier?

For any collection of 22Ω(n) monotone access functions, ∃F in the collection that requires 2Ω(n) share size.

slide-14
SLIDE 14

Our results

Representation Size Barrier?

For any collection of 22Ω(n) monotone access functions, ∃F in the collection that requires 2Ω(n) share size.

slide-15
SLIDE 15

Our results

Representation Size Barrier?

For any collection of 22Ω(n) monotone access functions, ∃F in the collection that requires 2Ω(n) share size.

Our Theorem: Overcoming the Representation Size Barrier

There is a collection of 22n/2 monotone access functions, s.t. ∀F in the family has a secret sharing scheme with share size 2 ˜

O(√n).

slide-16
SLIDE 16

Our results

Representation Size Barrier?

For any collection of 22Ω(n) monotone access functions, ∃F in the collection that requires 2Ω(n) share size.

Our Theorem: Overcoming the Representation Size Barrier

There is a collection of 22n/2 monotone access functions, s.t. ∀F in the family has a secret sharing scheme with share size 2 ˜

O(√n).

Main Tool: Multi-party Conditional Disclosure of Secrets (CDS)

Multi-party CDS scheme with communication complexity 2 ˜

O(√n).

slide-17
SLIDE 17

Multi-party Conditional Disclosure of Secrets

[Gertner-Ishai-Kushilevitz-Malkin’00]

. . .

C

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} xn ∈ {0,1} x1,...,xn ∈ {0,1}

slide-18
SLIDE 18

Multi-party Conditional Disclosure of Secrets

[Gertner-Ishai-Kushilevitz-Malkin’00]

. . .

C

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} xn ∈ {0,1} x1,...,xn ∈ {0,1} bit s

randomness r

slide-19
SLIDE 19

Multi-party Conditional Disclosure of Secrets

[Gertner-Ishai-Kushilevitz-Malkin’00]

. . .

C

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} xn ∈ {0,1} x1,...,xn ∈ {0,1}

gets s if and only if F(x1,...,xn) = 1

bit s

randomness r

slide-20
SLIDE 20

Multi-party Conditional Disclosure of Secrets

[Gertner-Ishai-Kushilevitz-Malkin’00]

m1 m2 m3 mn . . .

C

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} xn ∈ {0,1} x1,...,xn ∈ {0,1}

gets s if and only if F(x1,...,xn) = 1

bit s

randomness r

slide-21
SLIDE 21

Multi-party Conditional Disclosure of Secrets

[Gertner-Ishai-Kushilevitz-Malkin’00]

m1 m2 m3 mn . . .

C

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} xn ∈ {0,1} x1,...,xn ∈ {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s.

slide-22
SLIDE 22

Multi-party Conditional Disclosure of Secrets

[Gertner-Ishai-Kushilevitz-Malkin’00]

m1 m2 m3 mn . . .

C

x1 ∈ {0,1} x2 ∈ {0,1} x3 ∈ {0,1} xn ∈ {0,1} x1,...,xn ∈ {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s. ◮ IT Privacy: When F(x1,...,xn) = 0, Charlie learns nothing about s.

slide-23
SLIDE 23

Multi-party Conditional Disclosure of Secrets [GIKM’00]

Multi-party CDS m1 m2 m3 mk

C

. . . x1 x2 x3 xn x1,...,xk bit s

randomness r

gets s iff F(x1,...,xn) = 1 for some public F

slide-24
SLIDE 24

Multi-party Conditional Disclosure of Secrets [GIKM’00]

Multi-party CDS m1 m2 m3 mk

C

. . . x1 x2 x3 xn x1,...,xk bit s

randomness r

gets s iff F(x1,...,xn) = 1 for some public F “Promise” secret sharing

A0 A1 B0 B1 C0 C1 D0 D1 E0 E1

n/2 buckets

slide-25
SLIDE 25

Multi-party Conditional Disclosure of Secrets [GIKM’00]

Multi-party CDS m1 m2 m3 mk

C

. . . x1 x2 x3 xn x1,...,xk bit s

randomness r

gets s iff F(x1,...,xn) = 1 for some public F “Promise” secret sharing

A0 A1 B0 B1 C0 C1 D0 D1 E0 E1

n/2 buckets

◮ Promise: Exactly one

participant from each bucket

slide-26
SLIDE 26

Multi-party Conditional Disclosure of Secrets [GIKM’00]

Multi-party CDS m1 m2 m3 mk

C

. . . x1 x2 x3 xn x1,...,xk bit s

randomness r

gets s iff F(x1,...,xn) = 1 for some public F “Promise” secret sharing

A0 A1 B0 B1 C0 C1 D0 D1 E0 E1

n/2 buckets

◮ Promise: Exactly one

participant from each bucket

◮ Ax1,Bx2,...,Ex5 recover s if

F(x1,...,x5) = 1

slide-27
SLIDE 27

Multi-party Conditional Disclosure of Secrets [GIKM’00]

Multi-party CDS m1 m2 m3 mk

C

. . . x1 x2 x3 xn x1,...,xk bit s

randomness r

gets s iff F(x1,...,xn) = 1 for some public F “Promise” secret sharing

A0 A1 B0 B1 C0 C1 D0 D1 E0 E1

n/2 buckets

◮ Promise: Exactly one

participant from each bucket

◮ Ax1,Bx2,...,Ex5 recover s if

F(x1,...,x5) = 1

◮ # access functions = 22n/2

slide-28
SLIDE 28

Multi-party Conditional Disclosure of Secrets [GIKM’00]

Multi-party CDS m1 m2 m3 mk

C

. . . x1 x2 x3 xn x1,...,xk bit s

randomness r

gets s iff F(x1,...,xn) = 1 for some public F “Promise” secret sharing

A0 A1 B0 B1 C0 C1 D0 D1 E0 E1

n/2 buckets

◮ Promise: Exactly one

participant from each bucket

◮ Ax1,Bx2,...,Ex5 recover s if

F(x1,...,x5) = 1

◮ # access functions = 22n/2 ◮ A0’s share = m1(0,s,r),

A1’s share = m1(1,s,r), etc

slide-29
SLIDE 29

Multi-party Conditional Disclosure of Secrets [GIKM’00]

m1 m2 m3 mn . . .

C

x1 x2 x3 xn x1,...,xn ∈ {0,1} Public F : {0,1}n → {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s. ◮ IT Privacy: When F(x1,...,xn) = 0, Charlie learns nothing about s.

slide-30
SLIDE 30

Multi-party Conditional Disclosure of Secrets [GIKM’00]

mA m1 m2 m3 mn . . .

A C

x1 x2 x3 xn x1,...,xn ∈ {0,1} Public F : {0,1}n → {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s. ◮ IT Privacy: When F(x1,...,xn) = 0, Charlie learns nothing about s.

slide-31
SLIDE 31

Multi-party Conditional Disclosure of Secrets [GIKM’00]

mA m1 m2 m3 mn . . .

A

F

C

x1 x2 x3 xn x1,...,xn ∈ {0,1} F ∈ {0,1}2n, Public F : {0,1}n → {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s. ◮ IT Privacy: When F(x1,...,xn) = 0, Charlie learns nothing about s.

slide-32
SLIDE 32

Multi-party Conditional Disclosure of Secrets [GIKM’00]

mA m1 m2 m3 mn . . .

A

F

C

x1 x2 x3 xn x1,...,xn ∈ {0,1} F ∈ {0,1}2n, Public F : {0,1}n → {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s. ◮ IT Privacy: When F(x1,...,xn) = 0, Charlie learns nothing about s.

slide-33
SLIDE 33

Multi-party Conditional Disclosure of Secrets [GIKM’00]

mA m1 m2 m3 mn . . .

A

F

C

x1 x2 x3 xn x1,...,xn ∈ {0,1} F ∈ {0,1}2n, Public F : {0,1}n → {0,1} bit s

randomness r

◮ Correctness: When F(x1,...,xn) = 1, Charlie gets s. ◮ IT Privacy: When F(x1,...,xn) = 0, Charlie learns nothing about s.

slide-34
SLIDE 34

2-party Conditional Disclosure of Secrets [GIKM’00]

C B A

bit s

randomness r

mB mA F ∈ {0,1}2n x ∈ {0,1}n F ∈ {0,1}2n,x ∈ {0,1}n

◮ Correctness: When F(x) = 1, Charlie gets s. ◮ IT Privacy: When F(x) = 0, Charlie learns nothing about s.

slide-35
SLIDE 35

2-party CDS: Previous Works 2-Party CDS

Communication Complexity Reconstruction Θ(2n/2) [GKW’15] linear Θ(2n/3) [LVW’17] quadratic 2 ˜

O(√n)

[LVW’17] general Ω(n) [GKW’15] general

slide-36
SLIDE 36

2-party CDS = ⇒ Multi-party CDS

2-party CDS

A B C

F x F,x

◮ O(2n/2) linear reconstruction [GKW’15] ◮ O(2n/3) quadratic reconstruction [LVW’17] ◮ 2 ˜ O(√n) general reconstruction [LVW’17]

Multi-party CDS

A C

. . . F x1 x2 xn F,x

slide-37
SLIDE 37

2-party CDS = ⇒ Multi-party CDS

2-party CDS

A B C

F x F,x

◮ O(2n/2) linear reconstruction [GKW’15] ◮ O(2n/3) quadratic reconstruction [LVW’17] ◮ 2 ˜ O(√n) general reconstruction [LVW’17]

Multi-party CDS

A C

. . . F x1 x2 xn F,x

???

slide-38
SLIDE 38

2-party CDS = ⇒ Multi-party CDS

2-party CDS

A B C

F x F,x

◮ O(2n/2) linear reconstruction [GKW’15] ◮ O(2n/3) quadratic reconstruction [LVW’17] ◮ 2 ˜ O(√n) general reconstruction [LVW’17]

Multi-party CDS

A C

. . . F x1 x2 xn F,x O(2n/2) linear reconstruction O(2n/3) quadratic reconstruction 2 ˜

O(√n) general reconstruction

slide-39
SLIDE 39

2-party CDS = ⇒ Multi-party CDS

2-party CDS

A B C

F x F,x

◮ O(2n/2) linear reconstruction [GKW’15] ◮ O(2n/3) quadratic reconstruction [LVW’17] ◮ 2 ˜ O(√n) general reconstruction [LVW’17]

Multi-party CDS

A C

. . . F x1 x2 xn F,x O(2n/2) linear reconstruction O(2n/3) quadratic reconstruction 2 ˜

O(√n) general reconstruction

slide-40
SLIDE 40

2-party CDS = ⇒ Multi-party CDS

2-party CDS

A B C

F x F,x

◮ O(2n/2) linear reconstruction [GKW’15] ◮ O(2n/3) quadratic reconstruction [LVW’17] ◮ 2 ˜ O(√n) general reconstruction [LVW’17]

Multi-party CDS

A C

. . . F x1 x2 xn F,x O(2n/2) linear reconstruction O(2n/3) quadratic reconstruction 2 ˜

O(√n) general reconstruction

slide-41
SLIDE 41

2-party CDS = ⇒ Multi-party CDS

2-party CDS

A B C

F x F,x Multi-party CDS

A C

. . . F x1 x2 xn F,x

Key Idea: Player Emulation [Hirt-Maurer’00]

slide-42
SLIDE 42

2-party CDS = ⇒ Multi-party CDS

2-party CDS mB

A B C

F x F,x Multi-party CDS

A C

. . . F x1 x2 xn F,x

Key Idea: Player Emulation [Hirt-Maurer’00]

◮ What is sent by Bob? mB(x,s,r)

slide-43
SLIDE 43

2-party CDS = ⇒ Multi-party CDS

2-party CDS mB

A B C

F x F,x Multi-party CDS m1 m2 mn

A C

. . . F x1 x2 xn F,x

Key Idea: Player Emulation [Hirt-Maurer’00]

◮ What is sent by Bob? mB(x,s,r) ◮ How can n players jointly compute mB... revealing nothing else?

slide-44
SLIDE 44

2-party CDS = ⇒ Multi-party CDS

2-party CDS mB

A B C

F x F,x Multi-party CDS m1 m2 mn

A C

. . . F x1 x2 xn F,x

Key Idea: Player Emulation [Hirt-Maurer’00]

◮ What is sent by Bob? mB(x,s,r) ◮ How can n players jointly compute mB... revealing nothing else? ◮ PSM (Private Simultaneous Messages) [FKN’94] ≈ Non-Interactive MPC

slide-45
SLIDE 45

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

m1 m2 mn x1 x2 xn bit s

randomness r

slide-46
SLIDE 46

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

m1 m2 mn x1 x2 xn bit s

randomness r

slide-47
SLIDE 47

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux

m1 m2 mn x1 x2 xn bit s

randomness r

slide-48
SLIDE 48

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux ◮ ux: matching vector

ux,vx ∈ Zℓ

6 for each x ∈ {0,1}n

ux,vy =

  • 0,

if x = y = 0,

  • .w.

m1 m2 mn x1 x2 xn bit s

randomness r

slide-49
SLIDE 49

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux ◮ ux: matching vector

ux,vx ∈ Zℓ

6 for each x ∈ {0,1}n

ux,vy =

  • 0,

if x = y = 0,

  • .w.

◮ ℓ = 2O(√nlogn) [BBR’94,Gro’00]

m1 m2 mn x1 x2 xn bit s

randomness r

slide-50
SLIDE 50

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux ◮ ux: matching vector

ux,vx ∈ Zℓ

6 for each x ∈ {0,1}n

ux,vy =

  • 0,

if x = y = 0,

  • .w.

◮ ℓ = 2O(√nlogn) [BBR’94,Gro’00] ◮ Communication = ℓ = 2O(√nlogn)

m1 m2 mn x1 x2 xn bit s

randomness r

slide-51
SLIDE 51

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux ◮ ux: matching vector

ux,vx ∈ Zℓ

6 for each x ∈ {0,1}n

ux,vy =

  • 0,

if x = y = 0,

  • .w.

◮ ℓ = 2O(√nlogn) [BBR’94,Gro’00] ◮ Communication = ℓ = 2O(√nlogn)

m1 m2 mn x1 x2 xn bit s

randomness r

PSM protocol computing mB?

slide-52
SLIDE 52

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux ◮ ux: matching vector

ux,vx ∈ Zℓ

6 for each x ∈ {0,1}n

ux,vy =

  • 0,

if x = y = 0,

  • .w.

◮ ℓ = 2O(√nlogn) [BBR’94,Gro’00] ◮ Communication = ℓ = 2O(√nlogn)

m1 m2 mn x1 x2 xn bit s

randomness r

PSM protocol computing mB?

◮ If mB(x,s,r) computable by

small arithmetic formula, PSM communication is small.

[IK’02,AIK’04]

slide-53
SLIDE 53

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

What is sent by Bob?

◮ Bob sends mB := r +s ·ux ◮ ux: matching vector

ux,vx ∈ Zℓ

6 for each x ∈ {0,1}n

ux,vy =

  • 0,

if x = y = 0,

  • .w.

◮ ℓ = 2O(√nlogn) [BBR’94,Gro’00] ◮ Communication = ℓ = 2O(√nlogn)

m1 m2 mn x1 x2 xn bit s

randomness r

PSM protocol computing mB?

◮ If mB(x,s,r) computable by

small arithmetic formula, PSM communication is small.

[IK’02,AIK’04]

◮ Is x → ux simple?

slide-54
SLIDE 54

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

m1 m2 mn x1 x2 xn bit s

randomness r

New Construction of Matching Vectors

◮ mapping x → ux computable by small formula

slide-55
SLIDE 55

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

m1 m2 mn x1 x2 xn bit s

randomness r

New Construction of Matching Vectors

◮ mapping x → ux computable by small formula ◮ ∀x, ux = u1,x1 ◦...◦un,xn

n pairs of vectors (u1,0,u1,1),...,(un,0,un,1)

slide-56
SLIDE 56

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

m1 m2 mn x1 x2 xn bit s

randomness r

New Construction of Matching Vectors

◮ mapping x → ux computable by small formula ◮ ∀x, ux = u1,x1 ◦...◦un,xn

n pairs of vectors (u1,0,u1,1),...,(un,0,un,1)

◮ i-th bit of mB = r +s ·ux computable by

size-O(n) arithmetic formula r[i]+s ·u1,x1[i]·...·un,xn[i]

slide-57
SLIDE 57

2-party CDS = ⇒ Multi-party CDS

mB

B

x bit s

randomness r

m1 m2 mn x1 x2 xn bit s

randomness r

New Construction of Matching Vectors

◮ mapping x → ux computable by small formula ◮ ∀x, ux = u1,x1 ◦...◦un,xn

n pairs of vectors (u1,0,u1,1),...,(un,0,un,1)

◮ i-th bit of mB = r +s ·ux computable by

size-O(n) arithmetic formula r[i]+s ·u1,x1[i]·...·un,xn[i]

◮ ℓ = 2O(√nlogn) 2O(√nlogn)

slide-58
SLIDE 58

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

slide-59
SLIDE 59

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}n2

s.t. zx has

n logn 1’s

slide-60
SLIDE 60

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}n2

s.t. zx has

n logn 1’s ◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.
slide-61
SLIDE 61

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}n2

s.t. zx has

n logn 1’s ◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(

  • n/logn) monomials of zx
slide-62
SLIDE 62

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}n2

s.t. zx has

n logn 1’s ◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(

  • n/logn) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (n2)O(√

n/logn) = 2O(√nlogn)

slide-63
SLIDE 63

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}n2

s.t. zx has

n logn 1’s ◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(

  • n/logn) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (n2)O(√

n/logn) = 2O(√nlogn)

simple zx → ux

slide-64
SLIDE 64

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}n2

s.t. zx has

n logn 1’s ◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(

  • n/logn) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (n2)O(√

n/logn) = 2O(√nlogn)

simplify x → zx simple zx → ux

slide-65
SLIDE 65

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}2n

s.t. zx has n 1’s

◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(

  • n/logn) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (n2)O(√

n/logn) = 2O(√nlogn)

simplify x → zx simple zx → ux

slide-66
SLIDE 66

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}2n

s.t. zx has n 1’s; map 0 → 01, 1 → 10

◮ There exists polynomials {px}x for each x s.t.

degree-O(

  • n/logn) over Z6

py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(

  • n/logn) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (n2)O(√

n/logn) = 2O(√nlogn)

simplify x → zx simple zx → ux

slide-67
SLIDE 67

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}2n

s.t. zx has n 1’s; map 0 → 01, 1 → 10

◮ There exists polynomials {px}x for each x s.t.

degree-O(√n) over Z6 py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(√n) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (n2)O(√

n/logn) = 2O(√nlogn)

simplify x → zx simple zx → ux

slide-68
SLIDE 68

2-party CDS = ⇒ Multi-party CDS New Construction of Matching Vectors x → (ux,vx)

◮ Each x ∈ {0,1}n is mapped to zx ∈ {0,1}2n

s.t. zx has n 1’s; map 0 → 01, 1 → 10

◮ There exists polynomials {px}x for each x s.t.

degree-O(√n) over Z6 py(zx) =

  • 0,

if x = y = 0,

  • .w.

◮ Let vx be the coefficients of py

and ux be all degree-O(√n) monomials of zx

◮ ux,vy = py(zx)

length = # monomials = (2n)O(√n) = 2O(√nlogn) simplify x → zx simple zx → ux

slide-69
SLIDE 69

2-party CDS = ⇒ Multi-party CDS

◮ Simpler matching vector x → ux

slide-70
SLIDE 70

2-party CDS = ⇒ Multi-party CDS

◮ Simpler matching vector x → ux ◮ (2-party CDS) Bob’s message is a small formula

slide-71
SLIDE 71

2-party CDS = ⇒ Multi-party CDS

◮ Simpler matching vector x → ux ◮ (2-party CDS) Bob’s message is a small formula ◮ (multi-party CDS) n parties can be efficiently emulate Bob

slide-72
SLIDE 72

Our Results

◮ Simpler matching vector x → ux ◮ (2-party CDS) Bob’s message is a small formula ◮ (multi-party CDS) n parties can be efficiently emulate Bob

Multi-party CDS

There is a multi-party CDS scheme with communication complexity 2O(√nlogn) as long as the total input length is n bits.

slide-73
SLIDE 73

Our Results

◮ Simpler matching vector x → ux ◮ (2-party CDS) Bob’s message is a small formula ◮ (multi-party CDS) n parties can be efficiently emulate Bob

Multi-party CDS

There is a multi-party CDS scheme with communication complexity 2O(√nlogn) as long as the total input length is n bits.

Secret sharing for double-exponentially many access functions

There is a collection of 22n/2 access functions, s.t. ∀F in the family has a secret sharing scheme with share size 2O(√nlogn).

slide-74
SLIDE 74

Our Results

2-party CDS O(2n/2) [GKW’15]

linear reconstruction

O(2n/3) [LVW’17]

quadratic reconstruction

2O(√nlogn) [LVW’17]

general reconstruction

Multi-party CDS 2O(√nlogn) [This]

general reconstruction

slide-75
SLIDE 75

Our Results

2-party CDS O(2n/2) [GKW’15]

linear reconstruction

O(2n/3) [LVW’17]

quadratic reconstruction

2O(√nlogn) [LVW’17]

general reconstruction

Multi-party CDS O(2n/2) [This,BP’18]

linear reconstruction, optimal

O(2n/3)

quadratic reconstruction, optimal

2O(√nlogn) [This]

general reconstruction

slide-76
SLIDE 76

Subsequent Works on Secret Sharing

Secret sharing for even more access functions [This,BKN’18]

There is a collection of 2( n

n/2) access functions, s.t.

∀F in the family has a secret sharing scheme with share size 2 ˜

O(√n).

slide-77
SLIDE 77

Subsequent Works on Secret Sharing

Secret sharing for even more access functions [This,BKN’18,LV’18]

There is a collection of 2( n

n/2)+2Ω(n) access functions, s.t.

∀F in the family has a secret sharing scheme with share size 2 ˜

O(√n).

slide-78
SLIDE 78

Subsequent Works on Secret Sharing

Secret sharing for even more access functions [This,BKN’18,LV’18]

There is a collection of 2( n

n/2)+2Ω(n) access functions, s.t.

∀F in the family has a secret sharing scheme with share size 2 ˜

O(√n).

# monotone function ≤ 2( n

n/2)·(1+ O(logn) n

)

slide-79
SLIDE 79

Subsequent Works on Secret Sharing

Secret sharing for even more access functions [This,BKN’18,LV’18]

There is a collection of 2( n

n/2)+2Ω(n) access functions, s.t.

∀F in the family has a secret sharing scheme with share size 2 ˜

O(√n).

# monotone function ≤ 2( n

n/2)·(1+ O(logn) n

)

Secret sharing for all access functions [LV’18 @STOC]

∀F has a secret sharing scheme with share size 20.994n.

slide-80
SLIDE 80

To Summarize Can communication ≪

(or representation)

computation size?

slide-81
SLIDE 81

To Summarize Can communication ≪

(or representation)

computation size?

Computational

◮ FHE

slide-82
SLIDE 82

To Summarize Can communication ≪

(or representation)

computation size?

Computational

◮ FHE

Information theoretic

◮ Private Information Retrieval

slide-83
SLIDE 83

To Summarize Can communication ≪

(or representation)

computation size?

Computational

◮ FHE

Information theoretic

◮ Private Information Retrieval ◮ Conditional Disclosure of Secrets

2-party & multiparty case

slide-84
SLIDE 84

To Summarize Can communication ≪

(or representation)

computation size?

Computational

◮ FHE

Information theoretic

◮ Private Information Retrieval ◮ Conditional Disclosure of Secrets

2-party & multiparty case

◮ Secret Sharing

for 22Ω(n) access functions potentially for all access functions

slide-85
SLIDE 85

To Summarize Can communication ≪

(or representation)

computation size?

Computational

◮ FHE

Information theoretic

◮ Private Information Retrieval ◮ Conditional Disclosure of Secrets

2-party & multiparty case

◮ Secret Sharing

for 22Ω(n) access functions potentially for all access functions

◮ What’s next?