Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
Private Simultaneous Message (PSM) protocols were introduced by Feige, Kilian and Naor (STOC ’94) as a minimal non-interactive model for information-theoretic three-party secure computation. While it is known that every function \(f:\{0,1\}^k\times \{0,1\}^k \rightarrow \{0,1\}\) admits a PSM protocol with exponential communication of \(2^{k/2}\) (Beimel et al., TCC ’14), the best known (non-explicit) lower-bound is \(3k-O(1)\) bits. To prove this lower-bound, FKN identified a set of simple requirements, showed that any function that satisfies these requirements is subject to the \(3k-O(1)\) lower-bound, and proved that a random function is likely to satisfy the requirements.
We revisit the FKN lower-bound and prove the following results:
(Counterexample) We construct a function that satisfies the FKN requirements but has a PSM protocol with communication of \(2k+O(1)\) bits, revealing a gap in the FKN proof.
(PSM lower-bounds) We show that, by imposing additional requirements, the FKN argument can be fixed leading to a \(3k-O(\log k)\) lower-bound for a random function. We also get a similar lower-bound for a function that can be computed by a polynomial-size circuit (or even polynomial-time Turing machine under standard complexity-theoretic assumptions). This yields the first non-trivial lower-bound for an explicit Boolean function partially resolving an open problem of Data, Prabhakaran and Prabhakaran (Crypto ’14, IEEE Information Theory ’16). We further extend these results to the setting of imperfect PSM protocols which may have small correctness or privacy error.
(CDS lower-bounds) We show that the original FKN argument applies (as is) to some weak form of PSM protocols which are strongly related to the setting of Conditional Disclosure of Secrets (CDS). This connection yields a simple combinatorial criterion for establishing linear \(\varOmega (k)\)-bit CDS lower-bounds. As a corollary, we settle the complexity of the Inner Product predicate resolving an open problem of Gay, Kerenidis, and Wee (Crypto ’15).
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
It is worth mentioning that the proof of Theorem 4 strongly relies on the explicit combinatorial condition given in Theorem 3 (and we do not know how to obtain it directly from Corollary 1). This illustrates again the importance of relating PSM complexity to other more explicit properties of functions.
Usually, it is assumed that both Alice and Bob hold the secret s. It is not hard to see that this variant and our variant (in which only Alice knows the secret) are equivalent up to at most 1-bit of additional communication.
This is analogous to the relation between Functional Encryption and Attribute Based Encryption. Indeed, CDS can be viewed as an information-theoretic one-time variant of Attribute Based Encryption.
When \(k-1\) is even, there is a simple deterministic construction: Take \(\mathbf {T}_0\) (resp., \(\mathbf {T}_1\)) to be the upper triangular matrix (resp., lower triangular matrix) whose entries on and above main diagonal (resp., on and below the diagonal) are ones and all other entries are zero. It is not hard to verify that both matrices are non-singular. Also \(\mathbf {T}=\mathbf {T}_0+\mathbf {T}_1\) has a zero diagonal and ones in all other entries and so \(\mathbf {T}\) has full rank if \(k-1\) is even. The same construction can be used when \(k-1\) is odd, at the expense of obtaining a matrix \(\mathbf {T}\) with an almost full rank that has only minor affect on the parameter M obtained in Lemma 1.