TY - GEN
T1 - Conditional disclosure of secrets
T2 - 37th Annual International Cryptology Conference, CRYPTO 2017
AU - Applebaum, Benny
AU - Arkis, Barak
AU - Raykov, Pavel
AU - Vasudevan, Prashant Nalini
N1 - Publisher Copyright: © International Association for Cryptologic Research 2017.
PY - 2017
Y1 - 2017
N2 - In the conditional disclosure of secrets problem (Gertner et al. J. Comput. Syst. Sci. 2000) Alice and Bob, who hold inputs x and y respectively, wish to release a common secret s to Carol (who knows both x and y) if and only if the input (x, y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some joint randomness and the goal is to minimize the communication complexity while providing information-theoretic security. Following Gay et al. (Crypto 2015), we study the communication complexity of CDS protocols and derive the following positive and negative results. – (Closure): A CDS for f can be turned into a CDS for its complement (f) with only a minor blow-up in complexity. More generally, for a (possibly non-monotone) predicate h, we obtain a CDS for h(f1,…,fm) whose cost is essentially linear in the formula size of h and polynomial in the CDS complexity of fi. – (Amplification): It is possible to reduce the privacy and correctness error of a CDS from constant to 2-k with a multiplicative overhead of O(k). Moreover, this overhead can be amortized over k-bit secrets. – (Amortization): Every predicate f over n-bit inputs admits a CDS for multi-bit secrets whose amortized communication complexity per secret bit grows linearly with the input length n for sufficiently long secrets. In contrast, the best known upper-bound for single-bit secrets is exponential in n. – (Lower-bounds): There exists a (non-explicit) predicate f over n-bit inputs for which any perfect (single-bit) CDS requires communication of at least Ω(n). This is an exponential improvement over the previously known Ω(log n) lower-bound. – (Separations): There exists an (explicit) predicate whose CDS complexity is exponentially smaller than its randomized communication complexity. This matches a lower-bound of Gay et al., and, combined with another result of theirs, yields an exponential separation between the communication complexity of linear CDS and non-linear CDS. This is the first provable gap between the communication complexity of linear CDS (which captures most known protocols) and non-linear CDS.
AB - In the conditional disclosure of secrets problem (Gertner et al. J. Comput. Syst. Sci. 2000) Alice and Bob, who hold inputs x and y respectively, wish to release a common secret s to Carol (who knows both x and y) if and only if the input (x, y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some joint randomness and the goal is to minimize the communication complexity while providing information-theoretic security. Following Gay et al. (Crypto 2015), we study the communication complexity of CDS protocols and derive the following positive and negative results. – (Closure): A CDS for f can be turned into a CDS for its complement (f) with only a minor blow-up in complexity. More generally, for a (possibly non-monotone) predicate h, we obtain a CDS for h(f1,…,fm) whose cost is essentially linear in the formula size of h and polynomial in the CDS complexity of fi. – (Amplification): It is possible to reduce the privacy and correctness error of a CDS from constant to 2-k with a multiplicative overhead of O(k). Moreover, this overhead can be amortized over k-bit secrets. – (Amortization): Every predicate f over n-bit inputs admits a CDS for multi-bit secrets whose amortized communication complexity per secret bit grows linearly with the input length n for sufficiently long secrets. In contrast, the best known upper-bound for single-bit secrets is exponential in n. – (Lower-bounds): There exists a (non-explicit) predicate f over n-bit inputs for which any perfect (single-bit) CDS requires communication of at least Ω(n). This is an exponential improvement over the previously known Ω(log n) lower-bound. – (Separations): There exists an (explicit) predicate whose CDS complexity is exponentially smaller than its randomized communication complexity. This matches a lower-bound of Gay et al., and, combined with another result of theirs, yields an exponential separation between the communication complexity of linear CDS and non-linear CDS. This is the first provable gap between the communication complexity of linear CDS (which captures most known protocols) and non-linear CDS.
UR - http://www.scopus.com/inward/record.url?scp=85028457201&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-319-63688-7_24
DO - https://doi.org/10.1007/978-3-319-63688-7_24
M3 - منشور من مؤتمر
SN - 9783319636870
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 727
EP - 757
BT - Advances in Cryptology – CRYPTO 2017 - 37th Annual International Cryptology Conference, Proceedings
A2 - Shacham, Hovav
A2 - Katz, Jonathan
Y2 - 20 August 2017 through 24 August 2017
ER -