Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

We revisit a fundamental question in the foundations of cryptography: What is the communication overhead of privacy in computation? This question has been considered in several different models and settings (see, e.g., [CK91, OS08, ACC+14, DPP14]). In this work, we address this question in two, arguably minimalistic, models for communication in the setting of information-theoretic security, namely the conditional disclosure of secrets (CDS) model [GIKM00] and the private simultaneous messages (PSM) model [FKN94, IK97], with a focus on the former.

Fig. 1.
figure 1

Pictorial representation of CDS and PSM.

Full size image

Conditional Disclosure of Secrets (CDS). Two-party conditional disclosure of secrets (CDS) [GIKM00] (c.f. Fig. 1) is a generalization of secret sharing [Sha79, ISN89]: two parties want to disclose a secret to a third party if and only if their respective inputs satisfy some fixed predicate \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\). Concretely, Alice holds x, Bob holds y and in addition, they both hold a secret \(\mu \in \{0,1\}\) (along with some additional private randomness w). Charlie knows both x and y but not \(\mu \); Alice and Bob want to disclose \(\mu \) to Charlie iff \(\mathsf {P}(x,y)=1\). How many bits do Alice and Bob need to communicate to Charlie?

This is a very simple and natural model where non-private computation requires very little communication (just a single bit), whereas the best upper bound for private computation is exponential. Indeed, in the non-private setting, Alice or Bob can send \(\mu \) to Charlie, upon which Charlie computes \(\mathsf {P}(x,y)\) and decides whether to output \(\mu \) or \(\perp \). This trivial protocol with one-bit communication is not private because Charlie learns \(\mu \) even when the predicate is false. In contrast, in the private setting, we have a big gap between upper and lower-bounds. The best upper bound we have for CDS for general predicates \(\mathsf {P}\) requires that Alice and Bob each transmits \(O(N^{1/2})\) bits [BIKK14, GKW15], and the best known lower bound is \(\Omega (\log N)\) [GKW15, AARV17]. A central open problem is to narrow this gap, namely:

Do there exist CDS protocols for general predicates \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\) with \(o(N^{1/2})\) communication?

In this work, we address this question in the affirmative, giving two protocols with \(o(N^{1/2})\) communication, including one with sub-polynomial \(N^{o(1)}\) communication. Before describing our results in more detail, we need to place this question in a broader context.

First, the existing exponential gap between upper and lower bounds for CDS is analogous to a long-standing open question in information-theoretic cryptography, namely, the study of secret-sharing schemes for general access structures [ISN89]. For general secret-sharing schemes, the best upper bounds on the (individual) share size are exponential in the number of parties n, namely \(2^{\Theta (n)}\), whereas the best lower bounds are nearly linear [Csi97], namely \(\Omega (n/\log n)\) (see Beimel’s survey [Bei11] for more details).

It turns out that we do have a more nuanced understanding of this gap, both for CDS and for secret-sharing. This understanding comes from looking at the complexity of the “reconstruction function”: in CDS, this refers to the function that Charlie computes on Alice’s and Bob’s messages to recover \(\mu \), and in secret-sharing, the function used to recover the secret from the shares, and by complexity, we refer to the degree of the reconstruction function when expressed as a multivariate polynomial in its inputs, namely Alice’s and Bob’s messages or the shares.

On the Importance of Reconstruction Degree. Most known CDS and secret-sharing schemes have linear reconstruction functions (which is necessary for some applications), and for linear reconstruction, the existing upper bounds for both CDS and secret-sharing are essentially optimal [BGP95, RPRC16, GKW15]. Therefore, to narrow the exponential gap between upper and lower bounds for CDS, we need to turn to general, non-linear reconstruction functions, as will be the case for our new CDS protocols.

Starting from the work of Beimel and Ishai, we know of a few specific (artificial) access structures with non-linear secret sharing schemes (which are unlikely to have efficient linear secret sharing schemes) [BI01, VV15]. More recently, [AARV17] showed a specific (contrived) predicate with a non-linear CDS scheme that is exponentially more efficient than the best linear CDS scheme. Unfortunately, none of these works yield any techniques that work with general predicates.

Henceforth, instead of referring to general predicates, we will focus on a specific predicate \(\mathbf {INDEX}_n\) where Alice holds a vector \(\mathbf D\in \{0,1\}^n\), Bob holds an index \(i \in [n]\) and the predicate is \(\mathbf D,i \mapsto \mathbf D_i\), namely the i-th bit of \(\mathbf D\); that is, Charlie learns the secret \(\mu \) iff \(\mathbf D_i = 1\). It is easy to see that we can derive a CDS protocol for the class of general predicates \(\mathsf {P}: [N] \times [N] \rightarrow \{0,1\}\) – which we denote by \(\mathbf {ALL}_N\) – from one for \(\mathbf {INDEX}_N\), by considering the truth table of the predicate as the database and the input to the predicate as the index. Via this connection, our central open problem reduces to constructing CDS for \(\mathbf {INDEX}_n\) with \(o(\sqrt{n})\) communication. The best known CDS protocol for INDEX (regardless of the reconstruction degree) has communication \(O(\sqrt{n})\); and this protocol indeed has linear reconstruction, for which there is a matching lower bound. More generally, Gay et al. [GKW15] show that any CDS for \(\mathbf {INDEX}_n\) with degree k reconstruction requires communication \(\Omega (n^{\frac{1}{k+1}})\).

1.1 Our Results and Techniques

The main results of this work are two CDS protocols for \(\mathbf {INDEX}_n\) achieving \(o(\sqrt{n})\) communication via non-linear reconstruction, namely:

  • a CDS protocol with \(O(n^{1/3})\) communication with quadratic reconstruction, which is optimal;

  • a CDS protocol with \(2^{O(\sqrt{\log n \log \log n})} = n^{o(1)}\) with general reconstruction.

These immediately imply CDS protocols for general predicates \(\mathbf {ALL}_N\) with \(O(N^{1/3})\) communication and quadratic reconstruction, and \(2^{O(\sqrt{\log N \log \log N})} = N^{o(1)}\) and general reconstruction. Our CDS protocols also yield similar improvements for secret-sharing schemes for the so-called “forbidden graph access structures” [SS97] via a generic transformation in [BIKK14]; in particular, we present the first schemes that achieve \(o(\sqrt{N})\) share sizes for graphs on N nodes. Overall, this is first work to break the “linear reconstruction” barrier for general predicates in settings related to secret sharing.

To obtain these results, we draw upon techniques for non-linear reconstruction developed in the context of information-theoretic private information retrieval (PIR) [CKGS98, WY05, Yek08, Efr09, DGY11, BIKO12, DG15]. Our \(O(n^{1/3})\) protocol exploits partial derivatives of polynomials, whereas our \(2^{O(\sqrt{\log n \log \log n})}\) uses matching vector families [Gro00], first invented in the context of explicit Ramsey graph constructions. While techniques from PIR have been used to improve communication complexity for information-theoretic cryptography e.g. [BIKK14], we do not know of any work that uses these techniques to improve communication complexity beyond the “linear reconstruction” barrier as we do.

Along the way, we also present new CDS protocols for low-degree polynomials (testing whether the polynomial evaluates to non-zero), along with an application to a new attribute-based encryption (ABE) scheme [SW05, GPSW06] for quadratic functions.

Finally, we show protocols in the stronger private simultaneous messages (PSM) model with optimal communication-degree tradeoffs. We summarize our CDS and PSM protocols in Fig. 2, and describe our results in more detail in the sequel.

Fig. 2.
figure 2

Summary of upper and lower bounds of \(\mathbf {INDEX}_n\) for CDS and PSM, where Alice holds \(\mathbf D\in \{0,1\}^n\) and Bob holds \(i \in [n]\), and the columns correspond to the number of bits sent by Alice and by Bob, along with the complexity of the reconstruction function.

Full size image

1.2 Our CDS Protocols

As mentioned earlier, our CDS protocols draw upon techniques for non-linear reconstruction developed in the context of information-theoretic PIR. Our starting point is a recent work of Beimel, Ishai, Kumaresan and Kushilevitz (BIKK) [BIKK14], showing how to use PIR to improve PSM and information-theoretic two-party computation in several different models. While BIKK applies general transformations to variants of PIR, our constructions exploit the techniques used in a PIR in a more non-black-box manner, and along the way, we improve upon and simplify some of the constructions in BIKK. For this reason, we will first provide an overview of our CDS protocols without referring to PIR, and then explain the connection to PIR after.

CDS for INDEX. Recall that in CDS for \(\mathbf {INDEX}_n\), Alice holds \(\mathbf D\in \{0,1\}^n\), Bob holds \(i \in [n]\) and \(\mu \in \{0,1\}\), and Charlie should learn \(\mu \) iff \(\mathbf D_i = 1\). Intuitively, the protocol proceeds by having Charlie “securely compute” \(\mu \mathbf D_i\), so that if \(\mathbf D_i = 0\), Charlie learns nothing about \(\mu \). To do this, we will relate \(\mu \mathbf D_i\) to some function \(F_{\mathbf D,i}(\cdot )\), which would form part of the construction function.

Our protocols have the following high-level structure:

  • Alice and Bob share randomness \(\mathbf b,\mathbf c\).

  • Bob deterministically encodes \(i \in [n]\) as a vector \(\mathbf u_i \in \{0,1\}^\ell \) and sends \(\mathbf m_B^1 := \mu \mathbf u_i + \mathbf b\);

  • We construct a function \(F_{\mathbf D,i}\) such that

    $$\begin{aligned} \mu \mathbf D_i = F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b) + \langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \end{aligned}$$
    (1)

    where \(\mathbf y_{\mathbf D,\mathbf b} \in \{0,1\}^\ell \) is completely determined given \(\mathbf D,\mathbf b\) and \(\langle \cdot ,\cdot \rangle \) corresponds to inner product. Note that Charlie can compute \(F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b)\) given \(\mathbf D,i,\mu \mathbf u_i+\mathbf b\).

  • In order for Charlie to also “securely” compute \(\langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \), Alice sends \(\mathbf m_A^1 := \mathbf y_{\mathbf D,\mathbf b} + \mathbf c\) and Bob sends \(m_B^2 := \langle \mathbf u_i,\mathbf c \rangle \).

  • Charlie can now compute \(\mu \mathbf D_i\) (and thus \(\mu \)) given \(\mathbf D,i,(\mathbf m_A^1,\mathbf m_B^1,m_B^2)\) by computing

    $$F_{\mathbf D,i}(\mathbf m_B^1) - \langle \mathbf u_i, \mathbf m_A^1 \rangle + m_B^2.$$

Note that the total communication is \(O(\ell )\), whereas the complexity of reconstruction is dominated by that of computing \(F_{\mathbf D,i}\). Privacy follows fairly readily from the fact that the joint distribution of \((\mathbf m_A^1,\mathbf m_B^1)\) is uniformly random, and that \(m_B^2\) is completely determined given \((\mathbf m_A^1,\mathbf m_B^1)\) and \(\mu \mathbf D_i\) along with \(\mathbf D,i\).

Realizing \(\mathbf u_i\) and \(F_{\mathbf D,i}\) . We sketch how to realize the encodings \(i \mapsto \mathbf u_i\) and \(F_{\mathbf D,i}\) by drawing upon 2-server PIR protocols from the literature (respectively [WY05] and [DG15]):

  • Our CDS with \(O(n^{1/3})\) communication uses degree 3 polynomials. Roughly speaking, we encode \(i \in [n]\) as \(\mathbf u_i \in \mathbb F_2^{O(n^{1/3})}\) (i.e., \(\ell =O(n^{1/3})\)) and \(\mathbf D\) as a vector \(\mathbf p\in \mathbb F_2^{O(n)}\) so that \(\mathbf D_i = \langle \mathbf p, \mathbf u_i \otimes \mathbf u_i \otimes \mathbf u_i \rangle \). Then, \(F_{\mathbf D,i}\) is (roughly) defined to be

    $$ \begin{aligned} F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b) ={}&\langle \mathbf p,(\mu \mathbf u_i + \mathbf b) \otimes (\mu \mathbf u_i + \mathbf b) \otimes \mathbf u_i \rangle + \langle \mathbf p,(\mu \mathbf u_i + \mathbf b) \otimes \mathbf u_i \otimes (\mu \mathbf u_i + \mathbf b) \rangle \\&+ \langle \mathbf p,\mathbf u_i \otimes (\mu \mathbf u_i + \mathbf b) \otimes (\mu \mathbf u_i + \mathbf b) \rangle \\ \end{aligned} $$

    This means

    $$ \begin{aligned} F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b) ={}&3 \mu \langle \mathbf p, \mathbf u_i \otimes \mathbf u_i \otimes \mathbf u_i \rangle \\&+ \underbrace{2\mu ( \langle \mathbf p, \mathbf u_i \otimes \mathbf u_i \otimes \mathbf b \rangle + \langle \mathbf p, \mathbf u_i \otimes \mathbf b\otimes \mathbf u_i \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf u_i \otimes \mathbf u_i \rangle )}_{=0} \\&+ \underbrace{\langle \mathbf p, \mathbf u_i \otimes \mathbf b\otimes \mathbf b \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf u_i \otimes \mathbf b \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf b\otimes \mathbf u_i \rangle }_{=\langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle } \\ ={}&\mu \mathbf D_i + \langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \end{aligned} $$

    where in the last equality, we use the fact that we are working over \(\mathbb F_2\). Using this technique, we can in fact obtain communication-efficient CDS for degree 3 polynomials. Using an additional balancing technique, we can also obtain optimal trade-offs between the length of Alice’s and Bob’s messages.

  • Our CDS with \(2^{O(\sqrt{\log n\log \log n})}\) communication uses a matching vector family, namely a collection of vectors \(\{(\mathbf v_i, \mathbf u_i)\}_{i\in [n]}\) such that all vectors \(\mathbf u_i, \mathbf v_i \in \mathbb Z_6^\ell \) where \(\ell = 2^{O(\sqrt{\log n \log \log n})}\) and:

    $$\begin{aligned} \langle \mathbf v_i, \mathbf u_i \rangle&= 0, \\ \langle \mathbf v_i, \mathbf u_j \rangle&\in \{1,3,4\} \quad \text {for }i\ne j. \end{aligned}$$

    Here, the inner product computations are done mod 6. Such a matching vector family was originally constructed by Grolmusz [Gro00] and improved by Dvir et al. [DGY11]. We omit precise description of \(F_{\mathbf D,i}\) but note that it is closely related to the functions \(G,G'\) defined in Sect. 4 (which are the same as those used in [DG15]). In particular, the PIR in [DG15] matches the following high level description: The user’s queries are \(\mathbf u_i+\mathbf b\) and \(\mathbf b\), the servers’ answers are vectors \(H_{\mathbf D}(\mathbf u_i + \mathbf b)\) and \(H_{\mathbf D}(\mathbf b)\) such that

    $$\begin{aligned} \langle H_{\mathbf D}(\mathbf u_i + \mathbf b), \mathbf u_i \rangle - \langle H_{\mathbf D}(\mathbf b), \mathbf u_i \rangle = \mathbf D_i. \end{aligned}$$
    (2)

    We observe that the following relation also holds:

    $$\begin{aligned} \underbrace{\langle H_{\mathbf D}(\mu \mathbf u_i + \mathbf b), \mathbf u_i \rangle }_{F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b)} - \langle \underbrace{H_{\mathbf D}(\mathbf b)}_{\mathbf y_{\mathbf D,\mathbf b}}, \mathbf u_i \rangle = \mu \mathbf D_i. \end{aligned}$$
    (3)

    from which we may derive \(F_{\mathbf D,i}\). This technique can be further generalized to construction a CDS from any 2-server PIR with linear reconstruction.

Relation to PIR. A 2-server PIR protocol allows a user who holds an index \(i \in [n]\) to retrieve an arbitrary bit \(\mathbf D_i\) from a database \(\mathbf D\in \{0,1\}^n\) which is held by 2 servers, while hiding the index i from each individual server:

  • The user wants to learn \(\mathbf D_i\) instead of \(\mu \mathbf D_i\), and again, \(\mathbf D_i\) is written as an expression related to the same function \(F_{\mathbf D,i}\), but the expression itself is different. (Roughly speaking, this is analogous to the difference between Eqs. 2 and 3 above).

  • Bob’s message \(\mu \mathbf u_i + \mathbf b\) corresponds roughly to the user’s query to the first server; note that Bob’s message perfectly hides the index i.

  • In PIR, one difficulty lies in jointly computing the quantity corresponding to \(F_{\mathbf D,i}(\mu \mathbf u_i + \mathbf b)\) because no single party knows \(\mathbf D\) and i, whereas this is easy in CDS. In PIR, computing the quantity corresponding to \(\langle \mathbf u_i,\mathbf y_{\mathbf D,\mathbf b} \rangle \) is easy as the server can send \(\mathbf y_{\mathbf D,\mathbf b}\) to the user; in PIR, Alice cannot send \(\mathbf y_{\mathbf D,\mathbf b}\) as is to Charlie as it would leak information about \(\mathbf b\) and thus \(\mu \).

1.3 Our PSM Protocols

We consider the 2-party Private Simultaneous Message (PSM) model [FKN94] (c.f. Fig. 1): Alice holds x, Bob holds y and they both share some private randomness. Each of them sends a message to Charlie, upon which Charlie should learn \(\mathsf {P}(x,y)\) for some public function \(\mathsf {P}\) but otherwise learns nothing else about xy. While the inputs involved in a computation (namely x and y) are not hidden in the CDS setting, they are in PSM and thus this is a harder model to design protocols in.

The state of the art in known constructions is as follows: (i) For information-theoretic security, the length of both Alice’s message and Bob’s message are both quadratic in the size of the branching program representation of f [FKN94, IK00, IK02]; this holds for both the Boolean and arithmetic settings. (ii) For computational security, the length of Alice’s and Bob’s messages are optimal up to a multiplicative overhead by the security parameter; this is the celebrated Yao’s garbled circuits and requires only one-way functions.

In this work, we describe such a protocol for the class of multi-variate polynomials of total degree k, where Alice holds a degree-d polynomial \(\mathbf p\) in n variables, Bob holds an input \(\mathbf x\in \mathbb F_q^n\) and Charlie learns \(\mathbf p(\mathbf x)\) and nothing else. In our protocol, Alice sends \(O(n^k)\) bits and Bob sends O(kn) bits. This gives us a protocol for INDEX with degree-k reconstruction with the same communication profile, which is nearly optimal (up to the factor of k in Bob’s communication). We refer the reader to Fig. 2 for details.

We also give a PSM for degree 4 polynomials, where the polynomial \(\mathbf p\) (over GF(2)) is public, Alice and Bob hold \(\mathbf x\in \{0,1\}^n\) and \(\mathbf y\in \{0,1\}^n\) respectively, and Charlie gets \(\mathbf p(\mathbf x,\mathbf y)\). This in turn gives a simpler and more direct \(O(\sqrt{N})\) PSM for the predicate \(\mathbf {ALL}_N\), first shown in [BIKK14], along with an explicit bound on the degree of reconstruction. In \(\mathbf {ALL}_N\), there is a public predicate \(\mathsf {P}\), Alice and Bob hold \(\mathbf x\) and \(\mathbf y\) respectively, and Charlie gets \(\mathsf {P}(\mathbf x,\mathbf y)\).

1.4 Discussion

Additional Related Work. We mention some additional related works.

Secret Sharing. The complexity of secret sharing for graph-based access structures was extensively studied in a setting where the edges of the graph represent the only minimal authorized sets, that is, any set of parties that does not contain an edge should learn nothing about the secret. The notion of forbidden graph access structures we study, originally introduced in [SS97], can be viewed as a natural “promise version” of this question, where one is only concerned about sets of size 2. The best upper bound for the total share size for every graph access structure is \(O(N^2/\log N)\) [Bub86, BSGV96, EP97] whereas the best lower bounds are (i) \(\Omega (N \log N)\) for general secret-sharing schemes [vD95, BSSV97, Csi05] and (ii) \(\Omega (N^{3/2})\) for linear secret-sharing schemes [BGP95].

Attribute-Based Encryption. Attribute-based encryption (ABE) [SW05, GPSW06] is a new paradigm for public-key encryption that enables fine-grained access control for encrypted data. In attribute-based encryption, ciphertexts are associated with descriptive values x in addition to a plaintext, secret keys are associated with values y, and a secret key decrypts the ciphertext if and only if \(\mathsf {P}(x,y) = 1\) for some boolean predicate \(\mathsf {P}\). Note that x and y are public given the respective ciphertext and secret key. The security requirement for attribute-based encryption enforces resilience to collusion attacks, namely any group of users holding secret keys for different values learns nothing about the plaintext if none of them is individually authorized to decrypt the ciphertext.

In [Wat09], Waters introduced the powerful dual system encryption methodology for building adaptively secure IBE in bilinear groups; this has since been extended to obtain adaptively secure ABE for a large class of predicates [LW10, LOS+10, OT10, LW11, Lew12, OT12]. In recent works [Att14, Wee14] (with extensions in [CGW15]), Attrapadung and Wee presented a unifying framework for the design and analysis of dual system ABE schemes, which decouples the predicate \(\mathsf {P}\) from the security proof. Specifically, the latter work puts forth the notion of predicate encoding, a private-key, one-time, information-theoretic primitive similar to conditional disclosure of secrets, and provides a compiler from predicate encoding for a predicate \(\mathsf {P}\) into an ABE for the same predicate using the dual system encryption methodology. Moreover, the parameters in the predicate encoding scheme and in CDS correspond naturally to ciphertext and key sizes in the ABE. In particular, Alice’s message corresponds to the ciphertext, and Bob’s message to the secret key. These applications do require linear construction over \(\mathbb {Z}_q\), where q is the order of the underlying bilinear group. Note that while the parameters for ABE schemes coming from predicate encodings are not necessarily the best known parameters, they do match the state-of-the-art in terms of ciphertext and secret key sizes for many predicates such as inner product, index, and read-once formula.

Open Problems. We conclude with a number of open problems:

  • Two questions related to CDS for \(\mathbf {INDEX}_n\): (i) can we realize degree 2 reconstruction and communication \((\mathsf {cc}_A,\mathsf {cc}_B) = (1,\sqrt{n})\) (this would yield the full \((n/t^2,t)\) trade-off for all t); (ii) how about total communication \(O(n^{1/4})\) and degree 3 reconstruction, and more generally,\(O(n^{\frac{1}{k+1}})\) and degree k reconstruction for \(k \ge 3\)?

  • Broadcast encryption schemes for n parties with \(O(n^{1/3})\) ciphertext and secret key sizes from bilinear maps, by possibly exploiting our CDS for \(\mathbf {INDEX}_n\) with quadratic reconstruction.

  • PSM for \(\mathbf {ALL}_N\) with \(o(\sqrt{N})\) total communication.

  • Secret-sharing for general graph access structures with \(N^{3/2}\) total share size, or even \(N^{1+o(1)}\) total share size? A natural starting point would be to extend the connection between CDS and secret-sharing for forbidden graph access structures in [BIKK14] to that of general graph access structures.

Organization. We present our CDS protocols in Sects. 3 and 4, along with applications to secret-sharing and ABE in Sects. 4.2 and 3.4. We present our PSM protocols in Sect. 5. In Sect. A, we present further extensions (both upper and lower bounds) to a relaxation of PSM with a one-sided security guarantee.

2 Preliminaries

Notations. We denote by \(s \leftarrow _{\textsc {r}}S\) the fact that s is picked uniformly at random from a finite set S or from a distribution. Throughout this paper, we denote by \(\log \) the logarithm of base 2.

2.1 Conditional Disclosure of Secrets

We recall the notion of conditional disclosure of secrets (CDS), c.f., Fig. 2. The definition we give here is for two parties Alice and Bob and a referee Charlie, where Alice and Bob share randomness w and want to conditionally disclose a secret \(\alpha \) to Charlie. The general notion of conditional disclosure of secrets has first been investigated in [GIKM00]. Two-party CDS is closely related to the notions of predicate encoding [Wee14, CGW15] and pairing encoding [Att14]; in particular, the latter two notions imply two-party CDS with linear reconstruction.

Definition 2.1

(conditional disclosure of secrets (CDS) [GIKM00]). Fix a predicate \(\mathsf {P}: \mathscr {X}\times \mathscr {Y}\rightarrow \{0,1\}\). An \((\mathsf {cc}_\mathsf {A},\mathsf {cc}_\mathsf {B})\)-conditional disclosure of secrets (CDS) protocol for \(\mathsf {P}\) is a triplet of deterministic functions \((\mathsf {A}, \mathsf {B}, \mathsf {C})\)

figure a

satisfying the following properties:

  • (reconstruction.) For all \((x,y) \in \mathscr {X}\times \mathscr {Y}\) such that \(\mathsf {P}(x,y) = 1\), for all \(w \in \mathscr {W}\), and for all \(\alpha \in \mathscr {D}\):

    $$\begin{aligned} \mathsf {C}(x,y,\mathsf {A}(x,w,\alpha ),\mathsf {B}(y,w,\alpha )) = \alpha \end{aligned}$$

  • (privacy.) For all \((x,y) \in \mathscr {X}\times \mathscr {Y}\) such that \(\mathsf {P}(x,y) = 0\), and for all \(\mathsf {C}^* : \{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\),

    $$ \Pr _{w \leftarrow \mathscr {W}, \alpha \leftarrow _{\textsc {r}}\mathscr {D}}\Bigl [ \mathsf {C}^* \bigl (\mathsf {A}(x,w,\alpha ),\mathsf {B}(y,w,\alpha )\bigr ) = \alpha \Bigr ] \le \frac{1}{|\mathscr {D}|}$$

Note that the formulation of privacy above with uniformly random secrets is equivalent to standard indistinguishability-based formulations.

A useful measure for the complexity of a CDS is the complexity of reconstruction as a function of the outputs of \(\mathsf {A},\mathsf {B}\), as captured by the function \(\mathsf {C}\), with (xy) hard-wired.

Definition 2.2

( \(\mathscr {C}\)-reconstruction). Given a set \(\mathscr {C}\) of functions from \(\{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}}\) to \(\mathscr {D}\), we say that a CDS \((\mathsf {A},\mathsf {B},\mathsf {C})\) admits \(\mathscr {C}\)-reconstruction if for all (xy) such that \(\mathsf {P}(x,y)=1\), \(\mathsf {C}(x,y,\cdot ,\cdot ) \in \mathscr {C}\).

Two examples of \(\mathscr {C}\) of interest are:

  • \(\mathscr {C}_\text {all}\) is the set of all functions from \(\{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\); that is, we do not place any restriction on the complexity of reconstruction. Note that \(|\mathscr {C}_\mathrm {all}| = |\mathscr {D}|^{2^{\mathsf {cc}_\mathsf {A}+\mathsf {cc}_B}}\).

  • \(\mathscr {C}_\mathrm {lin}\) is the set of all linear functions over \(\mathbb {Z}_2\) from \(\{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\); that is, we require the reconstruction to be linear as a function of the outputs of \(\mathsf {A}\) and \(\mathsf {B}\) as bit strings (but may depend arbitrarily on xy). This is the analogue of linear reconstruction in linear secret sharing schemes and is a requirement for the applications to attribute-based encryption [Wee14, Att14, CGW15]. Note that \(|\mathscr {C}_\mathrm {linear}| \le |\mathscr {D}|^{{\mathsf {cc}_\mathsf {A}+\mathsf {cc}_B}}\) for \(|\mathscr {D}| \ge 2\).

Remark 2.3

Note that while looking at \(\mathscr {C}\), we consider \(\mathsf {C}(x,y,\cdot ,\cdot )\), which has (xy) hard-wired, and takes an input of total length \(\mathsf {cc}_\mathsf {A}+ \mathsf {cc}_\mathsf {B}\). In particular, it could be that \(\mathsf {C}\) runs in time linear in \(|x| = |y| = n\), and yet \(\mathsf {cc}_\mathsf {A}= \mathsf {cc}_\mathsf {B}= O(\log n)\) so \(\mathsf {C}\) has “exponential” complexity w.r.t. \(\mathsf {cc}_\mathsf {A}+ \mathsf {cc}_\mathsf {B}\).

Definition 2.4

(linear CDS). We say that a CDS \((\mathsf {A},\mathsf {B},\mathsf {C})\) is linear if it admits \(\mathscr {C}_\mathrm {lin}\)-reconstruction.

2.2 Private Simultaneous Message

Definition 2.5

(private simultaneous message (PSM)). Fix a functionality \(f : \mathscr {X}\times \mathscr {Y}\rightarrow \mathscr {D}\). An \((\mathsf {cc}_\mathsf {A},\mathsf {cc}_\mathsf {B})\)-private simultaneous message (PSM) protocol for f is a triplet of deterministic functions \((\mathsf {A}, \mathsf {B}, \mathsf {C})\)

$$\begin{aligned} \mathsf {A}: \mathscr {X}\times \mathscr {W}\rightarrow \{0,1\}^{\mathsf {cc}_A}, \quad \mathsf {B}: \mathscr {Y}\times \mathscr {W}\rightarrow \{0,1\}^{\mathsf {cc}_B}, \quad \mathsf {C}: \{0,1\}^{\mathsf {cc}_\mathsf {A}} \times \{0,1\}^{\mathsf {cc}_\mathsf {B}} \rightarrow \mathscr {D}\end{aligned}$$

satisfying the following properties:

  • (reconstruction.) For all \((x,y) \in \mathscr {X}\times \mathscr {Y}\):

    $$\begin{aligned} \mathsf {C}(\mathsf {A}(x,w),\mathsf {B}(y,w)) = f(x,y) \end{aligned}$$

  • (privacy.) There exists a randomized simulator \(\mathsf S\), such that for any \((x,y)\in \mathscr {X}\times \mathscr {Y}\) the joint distribution \((\mathsf {A}(x,w),\mathsf {B}(y,w))\) is perfectly indistinguishable from \(\mathsf S(f(x,y))\), where the distributions are taken over \(w \leftarrow \mathscr {W}\) and the coin tosses of \(\mathsf S\).

2.3 Predicates and Reductions

Predicates. We consider the following predicates:

  • Index \(\mathbf {INDEX}_n\): \(\mathscr {X}:= \{0,1\}^n, \mathscr {Y}:= [n]\) and

    $$\begin{aligned} \mathsf {P}_\mathbf {INDEX}(\mathbf D, i) = 1 \text { iff } \mathbf D_i = 1 \end{aligned}$$

    Here, \(\mathbf D_i\) denotes the i’th coordinate of \(\mathbf D\). Note that we can also interpret \(\mathbf D\) as the characteristic vector of a subset of [n].

  • Multi-linear Polynomials \(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k}\): \(\mathscr {X}:= \mathbb F_q^{n_1\cdots n_k}, \mathscr {Y}:= \mathbb F_q^{n_1} \times \cdots \times \mathbb F_q^{n_k}\) and

    $$\begin{aligned} \mathsf {P}_\mathbf {MPOLY}(\mathbf p, (\mathbf x_1,\ldots ,\mathbf x_k)) = 1 \text { iff } \langle \mathbf p, \mathbf x_1 \otimes \cdots \otimes \mathbf x_k \rangle \ne 0 \end{aligned}$$

    This captures homogeneous multi-linear polynomials of total degree k in \(n_1 + \cdots + n_k\) variables over \(\mathbb F_q\); concretely, the variables are encoded as k vectors \(\mathbf x_1,\ldots ,\mathbf x_k\), each monomial is a product of k variables one from each of the k vectors, and \(\mathbf p\) is the vector of coefficients. In addition, our protocols work with inhomogeneous multi-linear polynomials as well. Simply observe that any (even non-homogeneous) multi-linear polynomial p in n variables of total degree at most k is captured by the class \(\mathbf {MPOLY}^{k}_{n+1,\ldots ,n+1}\).Footnote 1

  • All (“worst”) functions \(\mathbf {ALL}_{N}\): a fixed function \(F: [N] \times [N] \rightarrow \{0,1\}, \mathscr {X}= \mathscr {Y}:= [N]\)

    $$\begin{aligned} \mathsf {P}_\mathbf {ALL}(x,y) = F(x,y) \end{aligned}$$

Reductions. We have the following reductions from prior works:

  • \(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k} \Rightarrow \mathbf {INDEX}_{n_1 \cdots n_k}\). On input \(\mathbf D\in \{0,1\}^n, i \in [n]\) where \(n = \prod _{j=1}^k n_j\), we map i to \((\mathbf e_{i_1},\ldots ,\mathbf e_{i_k})\) so that \(\mathbf e_i = \mathbf e_{i_1} \otimes \cdots \otimes \mathbf e_{i_k}\) and \(\mathbf D\) to \(\mathbf p\); this way, \(\langle \mathbf p,\mathbf e_{i_1} \otimes \cdots \otimes \mathbf e_{i_k} \rangle = \langle \mathbf D,\mathbf e_i \rangle = \mathbf D_i\).

  • \(\mathbf {INDEX}_{N} \Rightarrow \mathbf {ALL}_{N}\). Fix \(F : [N]\times [N] \rightarrow \{0,1\}\). We use the “truth table” reduction that maps \((x,y) \in [N] \times [N]\) to \(F(x,\cdot ) \in \{0,1\}^N, y \in [N]\).

2.4 Secret Sharing

Secret Sharing for Forbidden Graph Access Structure on N Parties. Consider a graph \(G=(V,E)\), where \(|V| = N\). Each vertex denotes a party. The sets that can reconstruct the secret are: (1) all sets of 3 or more parties, (2) all pairs of parties that correspond to vertexes that are not adjacent. The access structure is called forbidden graph as each edge indicates a pair of parties who can not jointly reconstruct the secret.

Secret Sharing for Forbidden Bipartite Graph Access Structure on 2N Parties. Consider a graph \(G=(L,R,E)\) where \(|L| = |R| = N\). Each vertex denotes a party. The sets that can reconstruct the secret are: (1) all pairs of parties that correspond to vertexes from the same side of the graph; (2) all pairs of parties that correspond to vertexes from different sides that are not adjacent.

Secret Sharing from PSM and CDS. As shown in [BIKK14, Sect. 7], a PSM scheme for \(\mathbf {ALL}_{N}\) where Alice and Bob sends at most \(\ell = \ell (N)\) bits yields secret-sharing schemes for every forbidden bipartite graph access structure on 2N nodes where the share size is \(O(\ell )\) bits. This further implies secret sharing schemes for every forbidden graph access structure on 2N nodes where the share size is \(O(\ell \log N)\) bits [BIKK14, Sect. J]. The technique can be generalized to a transformation from a CDS scheme – a weaker object – to a secret sharing scheme for forbidden graph structures.

Theorem 2.6

[BIKK14]. A CDS scheme for \(\mathbf {ALL}_{N+1}\) where Alice and Bob sends at most \(\ell = \ell (N)\) bits yields secret sharing schemes for forbidden bipartite graph access structure on 2N nodes.

Proof

Given any bipartite graph \(G=(L,R,E)\), let \((\mathsf {A},\mathsf {B},\mathsf {C})\) be a CDS for predicate \(\mathsf {P}:[N+1]\times [N+1]\rightarrow \{0,1\}\) such that

$$ \mathsf {P}(i,j) = {\left\{ \begin{array}{ll} 1, &{}\text { if } i,j \le N \text { and } (i,j)\notin E,\\ 0, &{}\text { otherwise.} \end{array}\right. } $$

Let \(\alpha \in \mathscr {D}\) denotes the secret. We construct a secret sharing scheme for G by dealing with the two types of authorized sets. First, the secret is shared among each side with Shamir’s 2-out-of-N threshold secret sharing. Next, sample random \(w\leftarrow \mathscr {W}\), let the i-th party on the left hold \(\mathsf {A}(i,w,\alpha )\), let the j-th party on the right hold \(\mathsf {B}(j,w,\alpha )\).

Correctness is straight-forward: 2 parties on the same side can reconstruct the secret from Shamir’s 2-out-of-N threshold secret sharing; the i-th party on the left and the j-th party on the right can reconstruct the secret using the reconstruction function of CDS for \(\mathbf {ALL}_{n+1}\) if \((i,j)\notin E\). Privacy follows from the following:

  • If \((i,j)\in E\), the i-th party on the left and the j-th party on the right hold \(\mathsf {A}(i,w,\alpha )\), \(\mathsf {B}(j,w,\alpha )\), whose joint distribution is independent from secret \(\alpha \) by the definition of CDS.

  • The i-party on the left holds \(\mathsf {A}(i,w,\alpha )\). By the definition of CDS, \(\mathsf {A}(i,w,\alpha )\), \(\mathsf {B}(N+1,w,\alpha )\) jointly leak no information about secret \(\alpha \).    \(\square \)

3 CDS for Degree-2 and 3 Polynomials with Applications to \(\mathbf {INDEX}\) and ABE

In this section, we present CDS for the class of multi-linear polynomials \(\mathbf {MPOLY}^{k}_{n_1,\ldots ,n_k}\) of degree \(k=2,3\) in Sects. 3.1 and 3.2, along with applications to \(\mathbf {INDEX}_n\) and ABE in Sects. 3.3 and 3.4.

3.1 Degree-2 Polynomials \(\mathbf {MPOLY}^2_{n_1,n_2}\) over \(\mathbb F_q\)

Recall that in \(\mathbf {MPOLY}^2_{n_1,n_2}\) over \(\mathbb F_q\), Alice holds \(\mathbf p\in \mathbb F_q^{n_1n_2}\), Bob holds \((\mathbf x_1,\mathbf x_2) \in \mathbb F_q^{n_1} \times \mathbb F_q^{n_2}\) and \(\mu \in \mathbb F_q\), and Charlie learns \(\mu \) iff \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \ne 0\). (In Sect. B, we present a protocol for the “negated” setting where Charlie learns \(\mu \) iff \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle = 0\)).

Protocol Overview. The shared randomness comprises \((\mathbf b,\mathbf c) \in \mathbb F_q^{n_1} \times \mathbb F_q^{n_2}\). Bob sends \(\mathbf m_B^1 := \mu \mathbf x_1 + \mathbf b\). Now, Charlie knows \(\mathbf p,\mathbf x_1,\mathbf x_2, \mu \mathbf x_1+\mathbf b\), and could compute

$$\begin{aligned} \langle \mathbf p, (\mu \mathbf x_1 + \mathbf b) \otimes \mathbf x_2 \rangle = \mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle + \underbrace{\langle \mathbf p, \mathbf b\otimes \mathbf x_2 \rangle }_{\langle \mathbf p'_\mathbf b, \mathbf x_2 \rangle } \end{aligned}$$

where \(\mathbf p'_\mathbf b\in \mathbb F_q^{n_2}\) depends on \(\mathbf p\) and \(\mathbf b\). In order for Charlie to compute \(\langle \mathbf p'_\mathbf b,\mathbf x_2 \rangle \), and thus \(\mu \langle \mathbf p, \mathbf x\otimes \mathbf x \rangle \), the following needs to be done:

  • Alice sends \(\mathbf m_A^1 := \mathbf p'_\mathbf b+ \mathbf c\),

  • Bob sends \(m_B^2 := \langle \mathbf c,\mathbf x_2 \rangle \)

Now Charlie can recover \(\langle \mathbf p'_\mathbf b, \mathbf x_2 \rangle = \langle \mathbf m_A^1,\mathbf x_2 \rangle -m_B^2\). Concretely, Charlie recovers \(\mu \) using

$$ \mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle = \langle \mathbf p, \mathbf m_B^1 \otimes \mathbf x_2 \rangle + m_B^2 - \langle \mathbf m_A^1,\mathbf x_2 \rangle $$

This protocol is described in detail in Fig. 3.

Fig. 3.
figure 3

The CDS protocol for degree-2 polynomials with \((\mathsf {cc}_A,\mathsf {cc}_B) = (n_2 \log q,(n_1+1) \log q)\).

Full size image

Theorem 3.1

(CDS for \(\mathbf {MPOLY}^2_{n_1,n_2}\) ). There is a CDS protocol for degree-2 polynomials over \(\mathbb F_q\) (shown in Fig. 3) where Alice sends \(n_2\) elements of \(\mathbb F_q\), Bob sends \(n_1+1\) elements of \(\mathbb F_q\) and Charlie applies an \(\mathbb F_q\)-linear reconstruction function.

Proof

Correctness is straight-forward and follows from the computation above. Namely,

$$\begin{aligned} \langle \mathbf p, \mathbf m_B^1 \otimes \mathbf x_2 \rangle + m_B^2 - \langle \mathbf m_A^1, \mathbf x_2 \rangle&= \langle \mathbf p, (\mu \mathbf x_1 + \mathbf b) \otimes \mathbf x_2 \rangle + \langle \mathbf c, \mathbf x_2 \rangle - \langle \mathbf p'_\mathbf b+ \mathbf c, \mathbf x_2 \rangle \\&= \mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle + \langle \mathbf p, \mathbf b\otimes \mathbf x_2 \rangle - \langle \mathbf p'_\mathbf b, \mathbf x_2 \rangle \\&= \mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \end{aligned}$$

since, by definition of \(\mathbf p'_\mathbf b\), \(\langle \mathbf p, \mathbf b\otimes \mathbf x_2 \rangle = \langle \mathbf p'_\mathbf b, \mathbf x_2 \rangle \).

It is also easy to see that the degree of reconstruction is 1. Privacy follows from the following observations:

  • The joint distribution of \(\mathbf m_B^1\) and \(\mathbf m^1_A\) is uniformly random, since we are using \((\mathbf b,\mathbf c)\) as one-time pads; and

  • \(m^2_B = \mu \langle \mathbf p, \mathbf x\otimes \mathbf x_2 \rangle - \langle \mathbf p, \mathbf m_B^1 \otimes \mathbf x_2 \rangle + \langle \mathbf m_A^1,\mathbf x_2 \rangle \)

Putting the two together, we can simulate \(\mathbf m_A^1,\mathbf m_B^1\) and \(m_B^2\) given just \(\mathbf x_1,\mathbf x_2, \mathbf p\), \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \). This finishes the proof.    \(\square \)

The total communication is \(\mathsf {cc}_A = n_2\) elements of \(\mathbb F_q\) and \(\mathsf {cc}_B = n_1 + 1\) elements of \(\mathbb F_q\) for a total of \(n_1 + n_2 + 1\). We will use this generalization later in this section to design a CDS protocol for the INDEX functionality with a general communication tradeoff between Alice and Bob.

3.2 Degree 3 Polynomials \(\mathbf {MPOLY}^3_{n_1,n_2,n_3}\) over \(\mathbb F_2\)

In \(\mathbf {MPOLY}^3_{n_1,n_2,n_3}\) over \(\mathbb F_2\), Alice holds \(\mathbf p\in \mathbb F_2^{n_1n_2n_3}\), Bob holds \((\mathbf x_1,\mathbf x_2,\mathbf x_3) \in \mathbb F_2^{n_1} \times \mathbb F_2^{n_2} \times \mathbb F_2^{n_3}\) and \(\mu \in \mathbb F_2\), and Charlie learns \(\mu \) iff \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \ne 0\). In contrast to Sect. 3.1, we can only handle polynomials over \(\mathbb F_2\) here, yet this will be sufficient for our CDS protocol for INDEX in Sect. 3.3.

Protocol Overview. The shared randomness comprises \((\mathbf b_1,\mathbf b_2,\mathbf b_3,\mathbf c) \in \mathbb F_2^{n_1} \times \mathbb F_2^{n_2} \times \mathbb F_2^{n_3} \times \mathbb F_2^{n_1+n_2+n_3}\). Bob sends \(\mathbf m_B^1 := \mu \mathbf x_1 + \mathbf b_1\). Now, Charlie knows \(\mathbf p,\mathbf x_1,\mathbf x_2,\mathbf x_3,\mu \mathbf x_1+\mathbf b_1,\mu \mathbf x_2+\mathbf b_2,\mu \mathbf x_3+\mathbf b_3\), and could compute

$$\begin{aligned} { \begin{aligned}&\langle \mathbf p, (\mu \mathbf x_1 + \mathbf b_1) \otimes (\mu \mathbf x_2 + \mathbf b_2) \otimes \mathbf x_3 \rangle + \langle \mathbf p, (\mu \mathbf x_1 + \mathbf b_1) \otimes \mathbf x_2 \otimes (\mu \mathbf x_3 + \mathbf b_3) \rangle \\&+ \langle \mathbf p, \mathbf x_1 \otimes (\mu \mathbf x_2 + \mathbf b_2) \otimes (\mu \mathbf x_3 + \mathbf b_3) \rangle \\ ={}&3\mu ^2 \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \\&+ 2\mu (\langle \mathbf p, \mathbf b_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle + \langle \mathbf p, \mathbf x_1 \otimes \mathbf b_2 \otimes \mathbf x_3 \rangle + \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf b_3 \rangle ) \\&+ \underbrace{\langle \mathbf p, \mathbf b_1 \otimes \mathbf b_2 \otimes \mathbf x_3 \rangle + \langle \mathbf p, \mathbf b_1 \otimes \mathbf x_2 \otimes \mathbf b_3 \rangle + \langle \mathbf p, \mathbf x_1 \otimes \mathbf b_2 \otimes \mathbf b_3 \rangle }_{ \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3},\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle } \\ ={}&\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle + \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3},\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \end{aligned}} \end{aligned}$$
(4)

where in the last equality, we use the fact that we are working over \(\mathbb F_2\).

As in the degree-2 case, Alice then sends \(\mathbf m_A^1 := \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3} + \mathbf c\) and Bob also sends \(m_B^4 := \langle \mathbf c,\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \). From these, Charlie can recover \(\langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3}, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \) and thus \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \). Thus, he recovers \(\mu \) if and only if \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \ne 0\). This protocol is described in detail in Fig. 4.

Fig. 4.
figure 4

The CDS protocol for degree-3 polynomials. with \((\mathsf {cc}_A,\mathsf {cc}_B) = (n_1+n_2+n_3,n_1+n_2+n_3+1)\).

Full size image

Theorem 3.2

(CDS for \(\mathbf {MPOLY}^3_{n_1,n_2,n_3}\) ). There is a CDS protocol for degree-3 polynomials over \(\mathbb F_2\) (shown in Fig. 4) where Alice sends \(n_1+n_2+n_3\) bits Bob sends \(n_1+n_2+n_3+1\) bits, and Charlie applies a degree-2 reconstruction function (over \(\mathbb F_2\)).

Proof

Correctness is straight-forward and follows from the computation above. Namely, from (4), we know that

figure b

Charlie computes

$$\begin{aligned}&\langle \mathbf p, \mathbf m_B^1 \otimes \mathbf m_B^2 \otimes \mathbf x_3 + \mathbf m_B^1 \otimes \mathbf x_2 \otimes \mathbf m_B^3 + \mathbf x_1 \otimes \mathbf m_B^2 \otimes \mathbf m_B^3 \rangle \\&+ m_B^4 - \langle \mathbf m_A^1, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\ ={}&\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle + \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3},\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\&+ \langle \mathbf c, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3\rangle - \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3} + \mathbf c, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\ ={}&\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \end{aligned}$$

It is also easy to see that Alice sends \(n_1+n_2+n_3\) bits in total, Bob sends \(n_1+n_2+n_3+1\) bits, and that the degree of reconstruction is 2.

Privacy follows from the following observations:

  • The joint distribution of \(\mathbf m_B^1,\mathbf m_B^2,\mathbf m_B^3\) and \(\mathbf m^1_A\) is uniformly random, since we are using \((\mathbf b_1,\mathbf b_2,\mathbf b_3,\mathbf c)\) as one-time pads;

  • The last bit of Bob’s message, namely \(m^4_B\), is uniquely defined given \(\mathbf m_A^1\), \(\mathbf m_B^1,\mathbf m_B^2,\mathbf m_B^3\) and \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3\rangle \). In particular,

    $$\begin{aligned} m_B^4 ={}&\langle \mathbf c,\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\ ={}&\langle \mathbf m^1_A, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle - \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf b_3},\mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle \\ ={}&\langle \mathbf m^1_A, \mathbf x_1\Vert \mathbf x_2\Vert \mathbf x_3 \rangle + \mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \\&- \langle \mathbf p, \mathbf m_B^1 \otimes \mathbf m_B^2 \otimes \mathbf x_3 + \mathbf m_B^1 \otimes \mathbf x_2 \otimes \mathbf m_B^3 + \mathbf x_1 \otimes \mathbf m_B^2 \otimes \mathbf m_B^3 \rangle \end{aligned}$$

Putting the two together, we can simulate \(\mathbf m_A^1,\mathbf m_B^1,\mathbf m_B^2,\mathbf m_B^3,m_B^4\) given just \(\mathbf x_1,\mathbf x_2,\mathbf x_3, \mathbf p\) and \(\mu \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf x_3 \rangle \).    \(\square \)

Remark 3.3

(Beyond degree 3). For degree d, the above approach yields communication complexity \(O(n^{d-2})\), which is no better than \(O(n^{\lceil d/2 \rceil })\) for \(d \ge 4\). To get to \(O(n^{d-3})\) with the above approach, we would want to pick a field and a in the field such that \(da^{d-1} \ne 0, (d-1)a^{d-2}, (d-2)a^{d-3} = 0\). This is impossible since \(a^{d-2} = (d-1)a^{d-2} - a \cdot (d-2)a^{d-3} = 0\).

3.3 CDS for \(\mathbf {INDEX}_n\)

Recall that in \(\mathbf {INDEX}_n\), Alice holds \(\mathbf D\in \{0,1\}^n\), Bob holds \(i \in [n]\) and \(\mu \in \mathbb F_q\), and Charlie learns \(\mu \) iff \(\mathbf D_i = 1\). We obtain several CDS protocols for \(\mathbf {INDEX}_n\) by combining the reductions in Sect. 2.3 and our CDS protocols from Sects. 3.1 and 3.2.

Theorem 3.4

There are CDS protocols for \(\mathbf {INDEX}_n\) with:

  • \((\mathsf {cc}_A, \mathsf {cc}_B) = (\lceil n/t \rceil , t+1)\) and degree-1 reconstruction, for \(1 \le t \le n\); and

  • \((\mathsf {cc}_A, \mathsf {cc}_B) = (\lceil n/t^2 \rceil , 3t+1)\) and degree-2 reconstruction, for \(1\le t \le n^{1/3}\).

As a corollary, we obtain a CDS for \(\mathbf {INDEX}_n\) with total communication \(O(n^{1/2})\) and degree-1 reconstruction, and one with total communication \(O(n^{1/3})\) and degree-2 reconstruction.

We note that the first bullet was already shown in prior works [GKW15], but we provide an alternative, more algebraic construction here.

Proof

The first bullet follows readily from combining the \(\mathbf {MPOLY}^{2}_{n/t,t} \Rightarrow \mathbf {INDEX}_{n}\) reduction in Sect. 2.3 with our CDS for \(\mathbf {MPOLY}^{2}_{n/t,t}\) in Theorem 3.1. This immediately yields a CDS for \(\mathbf {INDEX}_n\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = (n/t, t+1)\) and degree-1 reconstruction.

For the second bullet, we start by observing that combining the \(\mathbf {MPOLY}^{3}_{t,t,t} \Rightarrow \mathbf {INDEX}_{t^3}\) reduction in Sect. 2.3 with our CDS for \(\mathbf {MPOLY}^{3}_{t,t,t}\) in Theorem 3.2. This immediately yields a CDS for \(\mathbf {INDEX}_{t^3}\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = (3t, 3t+1)\) and degree-2 reconstruction.

To go from \(\mathbf {INDEX}_{t^3}\) to \(\mathbf {INDEX}_n\), fix any \(t \in [n^{1/3}]\) and run \(\frac{n}{t^3}\) copies of CDS for \(\mathbf {INDEX}_{t^3}\). That is,

  • Alice breaks up \(\mathbf D\) into \(n/t^3\) databases \(\mathbf D^1,\ldots ,\mathbf D^{n/t^3} \in \{0,1\}^{t^3}\), and runs \(n/t^3\) copies of CDS for \(\mathbf {INDEX}_{t^3}\), each of which incurs O(t) communication.

  • Bob parses his input \(i \in [n]\) as \((j,i') \in [n/t^3] \times [t^3]\) so that \(\mathbf D^j_{i'} = \mathbf D_i\). Then, Bob just needs to send a message for the CDS corresponding to \(\mathbf D^j\) and with input \(i' \in [t^3]\). This means that Bob only sends \(3t + 1\) bits.

Altogether, Alice sends \(\frac{n}{t^3} \cdot 3t\) bits and Bob sends \(3t + 1\) bits.    \(\square \)

Remark 3.5

(balancing communication in CDS). The idea of constructing a CDS for \(\mathbf {INDEX}_n\) from n / t copies of CDS for \(\mathbf {INDEX}_t\) works well on any CDS protocol for \(\mathbf {INDEX}\). It’s also implicitly used in the previous \((\mathsf {cc}_A,\mathsf {cc}_B) = (n/t,t+1)\) CDS for \(\mathbf {INDEX}_n\) (e.g. [GKW15]). In general, a CDS protocols for \(\mathbf {INDEX}_n\) with communication complexity \((\mathsf {cc}_A,\mathsf {cc}_B)\) implies CDS protocols for \(\mathbf {INDEX}_n\) with communication communication \((\mathsf {cc}'_A,\mathsf {cc}'_B) = (\lceil \frac{n}{t}\rceil \mathsf {cc}_A(t), \mathsf {cc}_B(t))\) for any \(t\in [n]\).

3.4 Attribute-Based Encryption for Degree-2 Polynomials

We obtain a new ABE scheme for degree-2 polynomials, by essentially combining the framework of Chen, Gay and Wee (CGW) [CGW15] with our CDS schemes for \(\mathbf {MPOLY}^2_{n_1,n_2}\). In the ABE, ciphertexts are associated \(\mathbf p\in \mathbb F_q^{n_1n_2}\), secret keys with \((\mathbf x_1,\mathbf x_2) \in \mathbb F_q^{n_1} \times \mathbb F_q^{n_2}\), and decryption is possible whenever \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle \ne 0\). We obtain an adaptively secure ABE under the standard k-linear assumption in prime-order bilinear groups, where ciphertext contains \(O(n_2)\) group elements, and the secret key contains \(O(n_1)\) group elements. This achieves a quadratic savings over the naive approach of encoding degree-2 polynomials as an inner product, where the total ciphertext and secret key size will be \(O(n_1n_2)\) group elements.

Formally, the CGW framework requires CDS with additional structure (e.g. Alice’s and Bob’s messages are linear in the shared randomness), which our schemes do satisfy with some straight-forward modifications. In the ABE scheme, the master public key, secret key and ciphertext are of the form:

$$\begin{aligned} { \begin{aligned} \textsf {mpk}&:= \bigl (\,g_1, \; g_1^\mathbf b, g_1^\mathbf c, \; e(g_1,g_1)^\alpha \,\bigr )\\ \textsf {ct}_\mathbf p&:= \bigl (\,g_1^s, \; g_1^{s(\mathbf p'_\mathbf b+\mathbf c)}, \; e(g_1,g_1)^{\alpha s}\cdot m\bigr )\\ \textsf {sk}_{\mathbf x_1,\mathbf x_2}&:= \bigl (\,g_1^r,\;g_1^{\alpha \mathbf x_1 + r \mathbf b}, g_1^{\langle \mathbf c,\mathbf x_2 \rangle r}\,\bigr ) \end{aligned}} \end{aligned}$$
(5)

where \(\mathbf p'_\mathbf b\) is defined as in Fig. 3. Decryption relies on the fact that

$$ s \cdot (\langle \mathbf p, (\alpha \mathbf x_1 + r \mathbf b) \otimes \mathbf x_2 \rangle + \langle \mathbf c,\mathbf x_2 \rangle r)- \langle s(\mathbf p'_\mathbf b+\mathbf c) \rangle \cdot r = \alpha s \cdot \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \rangle $$

4 CDS for INDEX from Matching Vector Families

Recall that in \(\mathbf {INDEX}_n\), Alice holds \(\mathbf D\in \{0,1\}^n\), Bob holds \(i \in [n]\) and \(\mu \in \mathbb F_q\), and Charlie learns \(\mu \) iff \(\mathbf D_i = 1\). In this section, we will construct a CDS protocol for \(\mathbf {INDEX}_n\) with communication complexity \(2^{O(\sqrt{\log n\log \log n})}\). The key tool in the construction is matching vector families first constructed by Grolmusz [Gro00] and introduced to cryptography in the context of PIR [Yek08, Efr09, DGY11, DG15].

Lemma 4.1

(Matching vector family [Gro00]). For every sufficiently large \(n \in \mathbb {N}\), there exists a collection of vectors \(\{(\mathbf v_i, \mathbf u_i)\}_{i\in [n]}\) such that \(\mathbf u_i, \mathbf v_i \in \mathbb Z_6^\ell \) where \(\ell = 2^{O(\sqrt{\log n \log \log n})} = n^{o(1)}\) and:

$$\begin{aligned} \langle \mathbf v_i, \mathbf u_i \rangle&= 0, \\ \langle \mathbf v_i, \mathbf u_j \rangle&\in \{1,3,4\} \quad \text {for }i\ne j. \end{aligned}$$

Moreover, the collection of vectors is computable in time \(\mathsf {poly}(n)\).

Such a collection of vectors is known in the literature as a matching vector family; the statement above corresponds to the special case where the underlying modulus is 6. Our CDS for \(\mathbf {INDEX}_n\) uses the above matching vector family in a way similar to the 2-server PIR in [DG15].

4.1 CDS for \(\mathbf {INDEX}_n\) with \(n^{o(1)}\) communication

Protocol Overview. The shared randomness consists of \((\mathbf b,\mathbf c,c') \in \mathbb Z_6^\ell \times \mathbb Z_3^\ell \times {\mathbb Z_3}\). Following [DG15], we consider the following functions \(G, G' : \{0,1\}\rightarrow \mathbb Z_3\) (which depend on both inputs i and \(\mathbf D\) and randomness \(\mathbf b\)) given byFootnote 2

$$\begin{aligned} G(t) := \sum _{j \in [n]} D_j \cdot (-1)^{\langle t \mathbf u_i + \mathbf b, \mathbf v_j \rangle },\quad G'(t) := \sum _{j \in [n]} \langle \mathbf u_i, \mathbf v_j \rangle \cdot D_j \cdot (-1)^{\langle t \mathbf u_i + \mathbf b, \mathbf v_j \rangle } \end{aligned}$$
(6)

where \(D_j\) is the \(j^{th}\) entry of the vector \(\mathbf D\). Our protocol crucially exploits the identity

$$\begin{aligned} (2\mu -1) G'(0) - (2\mu -1) G(0) - G(\mu ) +G'(\mu ) = \mu \cdot D_i \cdot (-1)^{\langle \mathbf b,\mathbf v_i \rangle } \end{aligned}$$
(7)

which relies on both the properties of the matching vector family and the structure of the underlying ring \(\mathbb Z_3\) (we defer the proof to the end of this section). To compute the left hand side of Eq. 7, namely \((2\mu -1) G'(0) - (2\mu -1) G(0) - G(\mu ) +G'(\mu )\) (and therefore recover \(\mu \) if \(D_i = 1\)), we observe that

  • Bob sends \(\mathbf m_B^1 := \mu \mathbf u_i + \mathbf b\) to Charlie.

  • Charlie knows \(i,\mathbf D\) and \(\mu \mathbf u_i + \mathbf b\) and could therefore compute \(G(\mu )\) and \(G'(\mu )\).

  • Alice can compute \(G(0) = \sum _j D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle }\) since it does not depend on i. Alice then sends \(m_A^1 = (2\mu -1)G(0)-c'\).

  • We can write \(G'(0) = \sum _j \langle \mathbf u_i, \mathbf v_j \rangle D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle }\) as

    $$\langle \mathbf u_i, \sum _j \mathbf v_j D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle } \rangle $$

    Alice would send \(\mathbf m_A^2 := \mathbf c+ (2\mu -1) \sum _j \mathbf v_j D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle }\) and Bob would send \(m_B^2 := \langle \mathbf u_i,\mathbf c \rangle +c'\). Note that we have \((2\mu -1) G'(0) - (2\mu -1) G(0) = - m_A^1 + \langle \mathbf u_i,\mathbf m_A^2 \rangle - m_B^2\).

  • Charlie outputs 1 if \((2\mu -1) G'(0) - (2\mu -1) G(0) - G(\mu ) +G'(\mu ) \ne 0\), and 0 otherwise.

Fig. 5.
figure 5

The \(2^{O(\sqrt{\log n \log \log n})}\)-bit CDS protocol for \(\mathbf {INDEX}_n\) using matching vector families.

Full size image

Theorem 4.2

There is a CDS protocol for \(\mathbf {INDEX}_n\) (given in Fig. 5) with \(\mathsf {cc}_A, \mathsf {cc}_B = 2^{O(\sqrt{\log n \log \log n})}\).

Analysis. Correctness is straight-forward. It is also easy to see that the total communication complexity is \(O(\ell ) = 2^{{O}(\sqrt{\log n\log \log n})}\). Privacy follows from the following observations:

  • the joint distribution of \(\mathbf m_B^1,m^1_A,\mathbf m^2_A\) is uniformly random, since we are using \((\mathbf b,\mathbf c,c')\) as one-time pads;

  • when \(D_i = 0\), we have \((2\mu -1) G'(0) - (2\mu -1) G(0) - G(\mu ) +G'(\mu ) = 0\). This means that \(m_B^2 = \langle \mathbf u_i,\mathbf m_A^2 \rangle - m_A^1 - G(\mu ) + G'(\mu )\). Recall that \(G(\mu ),G'(\mu )\) can in turn be computed from \(\mathbf D,i,\mathbf m_B^1\).

Putting these together, we can simulate \(m_A^1,\mathbf m_A^2,\mathbf m_B^1,m_B^2\) given just \(\mathbf D,i\) when \(D_i = 0\).

Completing the Proof. It remains to prove the identity described in (7). Fix \(i \in [n], \mathbf D\in \{0,1\}^n\) and \(\mathbf b\in \mathbb Z_6^\ell \). For \(\sigma \in \{0,1,3,4\}\), we define

$$\begin{aligned} S_\sigma&\mathrel {:=}\{ j : \langle \mathbf u_i,\mathbf v_j \rangle = \sigma \} \subseteq [n]\\ c_\sigma&\mathrel {:=}\sum _{j \in S_\sigma } D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle } \in \mathbb Z_3 \end{aligned}$$

We can then rewrite \(G(t),G'(t)\) as

$$\begin{aligned} G(t)&= \sum _{\sigma } \bigl (\sum _{j \in S_\sigma } D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle }\bigr ) \cdot (-1)^{t \sigma } \\ G'(t)&= \sum _{\sigma } \sigma \bigl (\sum _{j \in S_\sigma } D_j (-1)^{\langle \mathbf b, \mathbf v_j \rangle }\bigr ) \cdot (-1)^{t \sigma } \end{aligned}$$

and thus

$$\begin{aligned} G(t) = c_0 + c_1 (-1)^t + c_3 (-1)^{3t} + c_4 (-1)^{4t},\quad G'(t) = c_1 (-1)^t + c_4 (-1)^{4t} \end{aligned}$$

This means

$$\begin{aligned} \begin{bmatrix} G(0) \\ G'(0) \\ G(1) \\ G'(1) \end{bmatrix} = \begin{bmatrix} 1&1&1&1 \\&1&1 \\ 1&-1&-1&1 \\&-1&1 \end{bmatrix} \begin{bmatrix} c_0 \\ c_1 \\ c_3 \\ c_4 \end{bmatrix} \end{aligned}$$
(8)

It is then easy to see that

$$\begin{aligned} G(0) - G'(0)&= c_0 + c_3\\ G(1) - G'(1)&= c_0 - c_3\\ G(\mu ) - G'(\mu )&= c_0 + (1-2\mu ) c_3 \end{aligned}$$

Therefore,

$$ (G(\mu )-G'(\mu )) - (1-2\mu ) (G(0)-G'(0)) = 2\mu \cdot c_0 = -\mu \cdot c_0 $$

The identity in (7) then follows readily from the fact that \(c_0 = D_i \cdot (-1)^{\langle \mathbf b,\mathbf v_i \rangle }\).

Comparison with Dvir and Gopi. Dvir and Gopi considered the ring \(\mathbb Z_6[X]/(X^6-1)\) which has a generator X, but we use \(\mathbb Z_3\) and \(-1\) as suggested there-in. The definitions of \(G(t),G(t'),c_0,c_1,c_3,c_4\) are the same as those in DG, and the relation in (8) is a simplification of that in DG.

Remark 4.3

(From PIR to CDS). In Sect. 1.2, we informally construct a CDS for \(\mathbf {INDEX}_n\) from any 2-server PIR scheme whose reconstruction function has good structure (as in formula (2)). We claimed that [DG15] has similar structure so that the construction is possible.

Let , , . Define , then . Finally,

which is similar to the property mentioned in Sect. 1.2.

4.2 Applications to \(\mathbf {ALL}_N\) and Secret-Sharing

Corollary 1

There exist CDS schemes for \(\mathbf {ALL}_N\) with \(\mathsf {cc}_A = \mathsf {cc}_B = 2^{O(\sqrt{\log N \log \log N})}\).

Corollary 2

There are secret sharing schemes for forbidden graph access structures on N nodes where the share size for each node is \(2^{O(\sqrt{\log N \log \log N})}\) bits and total share size is \(N \cdot 2^{O(\sqrt{\log N \log \log N})} = N^{1 + o(1)}\).

Combining Theorem 4.2 and reduction for \(\mathbf {INDEX}_{N} \Rightarrow \mathbf {ALL}_{N}\) in Sect. 2.3 yields Corollary 1 immediately. Further combining Corollary 1 with the construction of secret sharing schemes for forbidden graph access structures from CDS for \(\mathbf {ALL}\) (Theorem 2.6) yields Corollary 2.

5 PSM for Polynomials with Applications to \(\mathbf {INDEX}\)

5.1 Degree-k Polynomials \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\)

We start with a PSM protocol for degree-k polynomials, which is “essentially optimal” in the sense that the communication complexity is roughly the same as that for sending the inputs in the clear. Our protocol uses the standard “random shift” technique in information-theoretic cryptography, but to the best of our knowledge, the protocol has not appeared in the literature.

Warm-up. Suppose Alice holds multi-variate polynomial p in n variables over \(\mathbb F_q\) of total degree at most k, Bob holds an input \(\mathbf x\in \mathbb F_q^n\), and we want Charlie to learn \(p(\mathbf x)\) and nothing else. Here is a simple protocol:

  • the shared randomness is \(\mathbf w\in \mathbb F_q^n\) along with a random polynomial g of total degree k;

  • Alice sends \((\mathbf x',u) := (\mathbf x+\mathbf w,g(\mathbf x+\mathbf w))\); Bob sends the polynomial h where \(h(\mathbf y) := p(\mathbf y-\mathbf w)+g(\mathbf y)\); Charlie outputs \(h(\mathbf x') - u\).

Correctness is straight-forward. Privacy follows readily from the fact that we can simulate the view of Charlie given \(p(\mathbf x)\) by picking a random \(\mathbf x',h\) and outputting \((\mathbf x',h(\mathbf x')-f(\mathbf x)),h\). Alice only sends a polynomial, thus her communication complexity \(\mathsf {cc}_A\) matches the information lower bound.

This warm-up PSM relies on the fact that for any degree-k polynomial \(p(\mathbf x)\), after shifting the input by a vector \(\mathbf w\), the resulting polynomial \(p(\mathbf x-\mathbf w)\) is still a degree-k polynomial. This is not true for homogeneous polynomial (e.g. \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\)). Therefore, when we apply the technique from this warm-up PSM to \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\), the one-time pad polynomial g is chosen from a class larger than \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\). A naïve solution is to sample random n-variate degree-k polynomial g. This makes Alice’s message (\(\ge \frac{(n_1+\ldots +n_k+1)^k}{k!}\) bits) much longer than her input (\(\prod _jn_j\) bits). In order to overcome this difficult and preserve close-to-optimal communication complexity, we sample g from a more subtle polynomial class.

Functionality. The functionality \(\mathbf {MPOLY}^k_{n_1,\ldots ,n_k}\) is defined as: Alice holds a homogeneous multi-linear polynomial \(\mathbf p\in \mathbb F_q^{n_1\ldots n_k}\) and Bob holds \({\overline{\mathbf {x}}}\mathrel {:=}(\mathbf x_1,\ldots ,\mathbf x_k) \in \mathbb F_q^{n_1}\otimes \ldots \otimes \mathbb F_q^{n_k}\). Charlie learns \(\mathbf p({\overline{\mathbf {x}}}) \mathrel {:=}\langle \mathbf p, \mathbf x_1 \otimes \ldots \otimes \mathbf x_k \rangle \).

Protocol Overview. The shared randomness comprises \({\overline{\mathbf {b}}}= (\mathbf b_1,\ldots ,\mathbf b_k) \in \mathbb F_q^{n_1}\times \ldots \times \mathbb F_q^{n_k}\) and a random polynomial g. Bob sends \({\overline{\mathbf {m}}}_B^1 \mathrel {:=}{\overline{\mathbf {x}}}+{\overline{\mathbf {b}}}\) and Alice sends a polynomial h such that \(h({\overline{\mathbf {y}}}) \mathrel {:=}\langle \mathbf p, (\mathbf y_1-\mathbf b_1)\otimes \ldots \otimes (\mathbf y_k-\mathbf b_k) \rangle + g({\overline{\mathbf {y}}})\). Now Charlie knows, \({\overline{\mathbf {x}}}+{\overline{\mathbf {b}}}, h\), and can compute

$$ h({\overline{\mathbf {x}}}+{\overline{\mathbf {b}}}) = \langle \mathbf p,\mathbf x_1 \otimes \ldots \otimes \mathbf x_k \rangle + g({\overline{\mathbf {x}}}+{\overline{\mathbf {b}}}). $$

Charlie could learns \(f({\overline{\mathbf {x}}})\) if Bob sends \(m_B^2 \mathrel {:=}g({\overline{\mathbf {x}}}+{\overline{\mathbf {b}}})\).

When we compose homogeneous polynomial \(\mathbf p({\overline{\mathbf {y}}}) \mathrel {:=}\langle \mathbf p,\mathbf y_1 \otimes \ldots \otimes \mathbf y_k \rangle \) with an input shift, the resulting polynomial \(\langle \mathbf p, (\mathbf y_1-\mathbf b_1)\otimes \ldots \otimes (\mathbf y_k-\mathbf b_k) \rangle \) is not homogeneous. Let \(\mathbf y_1\Vert 1\) denote the vector obtained by padding constant 1 at the end of \(\mathbf y\). There exists \(\mathbf p'_{\mathbf b_1,\ldots ,\mathbf b_k} \in \mathbb F_q^{(n_1+1)\ldots (n_k+1)}\) such that

$$ \langle \mathbf p, (\mathbf y_1-\mathbf b_1)\otimes \ldots \otimes (\mathbf y_k-\mathbf b_k) \rangle = \langle \mathbf p'_{\mathbf b_1,\ldots ,\mathbf b_k}, (\mathbf y_1\Vert 1) \otimes \ldots \otimes (\mathbf y_k\Vert 1) \rangle . $$

Therefore, to hide polynomial \(\langle \mathbf p, (\mathbf y_1-\mathbf b_1)\otimes \ldots \otimes (\mathbf y_k-\mathbf b_k) \rangle \) using a one-time pad, Alice pick a random polynomial g that

$$\begin{aligned} g({\overline{\mathbf {x}}}) \mathrel {:=}\langle \mathbf g, (\mathbf y_1\Vert 1) \otimes \ldots \otimes (\mathbf y_k\Vert 1) \rangle , \end{aligned}$$
(9)

where \(\mathbf g\in \mathbb F_q^{(n_1+1)\ldots (n_k+1)}\).

Fig. 6.
figure 6

The PSM protocol for degree-k polynomials with \((\mathsf {cc}_A,\mathsf {cc}_B) = (\prod _j(n_j+1)\log q, (\sum _j n_j+1)\log q)\).

Full size image

Theorem 5.1

There is a PSM protocol for degree k polynomials over \(\mathbb F_q\) (shown in Fig. 6) where Alice sends \(\prod _j(n_j+1)\) elements of \(\mathbb F_q\), Bob sends \(\sum _j n_j + 1\) elements of \(\mathbb F_q\) and Charlie applies a degree-\((k+1)\) reconstruction function over \(\mathbb F_q\).

Proof

The correctness is straight-forward, as

$$ h({\overline{\mathbf {m}}}_B^1) - m_B^2 = h({\overline{\mathbf {x}}}+{\overline{\mathbf {b}}}) - g({\overline{\mathbf {x}}}+{\overline{\mathbf {b}}}) = \langle \mathbf p,\mathbf x_1 \otimes \ldots \otimes \mathbf x_k \rangle . $$

It takes \(\prod _j(n_j+1)\) elements of \(\mathbb F_q\) to encode a non-homogeneous degree-k polynomial over \(\mathbb F_q\). Thus the communication complexity is \(\mathsf {cc}_A = \prod _j(n_j+1) \cdot \log q\), \(\mathsf {cc}_B = (\sum _j n_j + 1) \log q\). Privacy follows from the following observations:

  • the joint distribution of \({\overline{\mathbf {m}}}^1_B, h\) is uniformly random, since we are using \(({\overline{\mathbf {b}}}, g)\) as one-time pads;

  • we have \(m^2_B = h({\overline{\mathbf {m}}}_B) - f({\overline{\mathbf {x}}})\).

Putting the two together, we can simulate \(h, {\overline{\mathbf {m}}}^1_B, m^2_B\) given just \(f({\overline{\mathbf {x}}})\). The reconstruction is of degree \(k+1\).    \(\square \)

Generalization. The technique of this PSM protocol (shown in Fig. 6) can be generalized to the following functionality: Alice holds \(f\in \mathscr {F}\), Bob holds \(\mathbf x\in \mathscr {X}\) and Charlie learns \(f(\mathbf x)\in \mathscr {D}\), where \(\mathscr {F}\) is a public set of functions from finite group \(\mathscr {X}\) to finite group \(\mathscr {D}\) satisfying

  • Closure under group operation: for any \(f,f' \in \mathscr {F}\), the function \(f+ f'\), defined as \((f+ f')(\mathbf x) = f(\mathbf x) + f'(\mathbf x)\), is in \(\mathscr {F}\) as well;

  • Closure under input shift: for any \(f\in \mathscr {F}, \mathbf s\in \mathscr {X}\), the function \(f_{\mathbf s}\), defined as \(f_\mathbf s(\mathbf x) = f(\mathbf x-\mathbf s)\), is also in \(\mathscr {F}\).

The resulting PSM has nearly optimal communication complexity, \(\mathsf {cc}_A = \log |\mathscr {F}|\) which matches information theoretical lower bound and \(\mathsf {cc}_B = \log |\mathscr {X}| + \log |\mathscr {D}|\) which is higher than the optimal by at most \(\log |\mathscr {D}|\).

Inner Product. The inner product problem, where Alice and Bod hold \(\mathbf x,\mathbf y\in \mathbb F_p^{n}\) respectively and Charlie learns \(\langle \mathbf x,\mathbf y \rangle \), is an alias of \(\mathbf {MPOLY}^1_n\). Thus there is an efficient PSM protocol for inner product.

Corollary 3

There exists a PSM protocol for inner product with \(\mathsf {cc}_A = \mathsf {cc}_B = n+1\) and degree-2 reconstruction.

5.2 Degree-4 Functions

Here, we present a PSM for degree 4 functions with linear communication, which we then use to derive a PSM for \(\mathbf {ALL}_N\) in the next section.

Functionality. There is a fixed public function \(\mathbf p\in \mathbb F_q^{n^4}\). Alice holds \(\mathbf x_1,\mathbf x_2\in \mathbb F_q^{n}\) and Bob holds \(\mathbf y_1,\mathbf y_2 \in \mathbb F_q^n\). Charlie learns \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \).

Protocol Overview. Alice sends \(\mathbf x_1+\mathbf b_1,\mathbf x_2+\mathbf b_2\), Bob sends \(\mathbf y_1+\mathbf c_1,\mathbf y_2+\mathbf c_2\). Then Charlie can computes

(10)

The key insight is that the two terms that are linear in either in \(\mathbf x_1 \Vert \mathbf x_2\) or \(\mathbf y_1 \Vert \mathbf y_2\) and can be computed using a PSM for inner product with O(n) communication.

Theorem 5.2

This is a PSM protocol for degree-4 functions over \(\mathbb F_q\) (shown in Fig. 7) where both Alice and Bob send \((4n+3)\) elements of \(\mathbb F_q\) and Charlie applies a degree-4 reconstruction function over \(\mathbb F_q\).

Proof

Correctness is straight-forward from Eq. (10), as

$$\begin{aligned} \begin{aligned}&\langle \mathbf p,\mathbf m^1_A\otimes \mathbf m^2_A\otimes \mathbf m^1_B\otimes \mathbf m^2_B \rangle -a \\ ={}&\langle \mathbf p,\mathbf m^1_A\otimes \mathbf m^2_A\otimes \mathbf m^1_B\otimes \mathbf m^2_B \rangle \\&- \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf c_1,\mathbf c_2,\mathbf x_1,\mathbf x_2}, \mathbf y_1\Vert \mathbf y_2\Vert 1 \rangle - \langle \mathbf p'_{\mathbf b_1,\mathbf b_2,\mathbf c_1,\mathbf c_2,\mathbf y_1,\mathbf y_2}, \mathbf x_1\Vert \mathbf x_2\Vert 1 \rangle \\ ={}&\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle . \end{aligned} \end{aligned}$$

Privacy follows from the following observations:

  • the joint distribution of \(\mathbf m^1_A,\mathbf m^2_A,\mathbf m^1_B,\mathbf m^2_B\) is uniformly random, since we are using \((\mathbf b_1,\mathbf b_2,\mathbf c_1,\mathbf c_2)\) as one-time pads;

  • a is determined by \(\mathbf p,\mathbf m^1_A,\mathbf m^2_A,\mathbf m^1_B,\mathbf m^2_B\) and \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \) as \(a = \langle \mathbf p,\mathbf m^1_A\otimes \mathbf m^2_A\otimes \mathbf m^1_B\otimes \mathbf m^2_B \rangle - \langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \). The messages in the underlying PSM for inner product can be simulated given just a.

Putting the two together, we can simulate Charlie’s view, consisting of \(\mathbf m^1_A,\mathbf m^2_A\), \(\mathbf m^1_B,\mathbf m^2_B\) and the messages in PSM for inner product, given \(\langle \mathbf p, \mathbf x_1 \otimes \mathbf x_2 \otimes \mathbf y_1 \otimes \mathbf y_2 \rangle \).

The reconstruction is of degree 4. Communication complexity is \(\mathsf {cc}_A = \mathsf {cc}_B = (4n+3) \log q\), each party sends 2n elements as one-time pads of its input, and \(2n+3\) elements for computing the inner product.    \(\square \)

5.3 Applications to \(\mathbf {INDEX}_n\) and \(\mathbf {ALL}_N\)

Theorem 5.3

For any integer \(k \ge 1\), there are PSM protocols for \(\mathbf {INDEX}_n\) with: \((\mathsf {cc}_A,\mathsf {cc}_B) = (O(n), k \cdot n^{1/k}+1)\) and degree-\((k+1)\) reconstruction.

Note that setting \(k=1\) and \(k=\log n\) yields the folklore constructions described in Fig. 2.

Proof

It follows from combining the \(\mathbf {MPOLY}^k_{n^{1/k},\ldots ,n^{1/k}} \Rightarrow \mathbf {INDEX}_n\) reduction in Sect. 2.3 with our PSM for \(\mathbf {MPOLY}^k\) in Theorem 5.1. This immediately yields a PSM for \(\mathbf {INDEX}_n\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = ((\lceil n^{1/k}\rceil +1)^k, k\lceil n^{1/k}\rceil +1)\) and degree-\((k+1)\) reconstruction.

$$\begin{aligned} \mathsf {cc}_A (n) \le (\lceil n^{1/k}\rceil +1)^k \le (n^{1/k} + 2)^k = n + 2k n^{1-1/k} + \ldots = O(n) \end{aligned}$$

   \(\square \)

Fig. 7.
figure 7

The PSM protocol for degree-4 functions with \(\mathsf {cc}_A = \mathsf {cc}_B = (4n+3)\log q\).

Full size image

Theorem 5.4

There are PSM protocols for \(\mathbf {ALL}_N\) with: \((\mathsf {cc}_A,\mathsf {cc}_B) = (\sqrt{N},\sqrt{N})\) and degree-4 reconstruction.

Note that such PSM protocols were already shown in [BIKK14] via the use of a 4-server PIR; our construction is simpler, and we provide an explicit bound on the complexity of reconstruction.

Proof

The predicate \(\mathbf {ALL}_N\) can be reduced to degree-4 function problem defined in Fig. 7.

  • \(\mathbf p\in \mathbb F_2^{N^2}\) is the true table of the fixed function F, such that for any \(x,y\in [N]\), \(\langle \mathbf p,\mathbf e_x\otimes \mathbf e_y \rangle = F(x,y)\)

  • Alice holds \(\mathbf x_1 \mathrel {:=}\mathbf e_{i_1} \in \mathbb F_2^{\sqrt{N}}, \mathbf x_2 \mathrel {:=}\mathbf e_{i_2} \in \mathbb F_2^{\sqrt{N}}\) such that \(\mathbf e_{i_1}\otimes \mathbf e_{i_2} = \mathbf e_x\).

  • Bob holds \(\mathbf y_1 \mathrel {:=}\mathbf e_{i_1} \in \mathbb F_2^{\sqrt{N}}, \mathbf y_2 \mathrel {:=}\mathbf e_{i_2} \in \mathbb F_2^{\sqrt{N}}\) such that \(\mathbf e_{i_1}\otimes \mathbf e_{i_2} = \mathbf e_y\).

Under such reduction, \(\langle \mathbf p, \mathbf x_1\otimes \mathbf x_2\otimes \mathbf y_1\otimes \mathbf y_2 \rangle = \langle \mathbf p, \mathbf e_x\otimes \mathbf e_y \rangle = F(x,y)\). Combining with the PSM protocol for degree-4 function in Sect. 5.2, there are PSM protocols for \(\mathbf {ALL}_N\) with \((\mathsf {cc}_A,\mathsf {cc}_B) = O(\sqrt{N},\sqrt{N})\) and degree-4 reconstruction.

   \(\square \)