Draft:Conditional disclosure of secrets

Review waiting, please be patient. This may take 2 months or more, since drafts are reviewed in no specific order. There are 2,835 pending submissions waiting for review. If the submission is accepted, then this page will be moved into the article space. If the submission is declined, then the reason will be posted here. In the meantime, you can continue to improve this submission by editing normally. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Reviewer tools Instructions · What links here · Conditional disclosure of secrets (talk: + · bio) · (log) · Copyvios report · reFill · Citation Bot · (Search: Google, Wikipedia) · Submitted 21 days ago by Alexmay28 (talk: D · +) · Last edited 4 days ago by Alexmay28

The conditional disclosure of secrets (CDS) primitive studied in information-theoretic cryptography allows distributed, non-communicating parties to coordinate the release of information to a third party. CDS was initially introduced for use in the context of private information retrieval^[1], and has been related to communication complexity^[2] and non-local quantum computation^[3].

The conditional disclosure of secrets setting involves three players; Alice, Bob and the referee. Alice receives an input ${\displaystyle x\in \{0,1\}^{n}}$ and a secret ${\displaystyle z\in \{0,1\}}$, and Bob receives a string ${\displaystyle y\in \{0,1\}^{n}}$. A choice of Boolean function ${\displaystyle f:\{0,1\}^{2n}\rightarrow \{0,1\}}$ is fixed in advance and known to all players. Alice and Bob cannot communicate with one another, but share a string of random bits which we label ${\displaystyle r}$. Alice and Bob compute messages ${\displaystyle m_{A}=m_{A}(x,z,r)}$ and ${\displaystyle m_{B}=m_{B}(y,r)}$, which they send to the referee. The referee knows ${\displaystyle (x,y)}$. A CDS protocol consists of the encoding maps applied by Alice and Bob.

A protocol is said to be ${\displaystyle \epsilon }$-correct if, for all ${\displaystyle (x,y)\in f^{-1}(1)}$, the referee can determine ${\displaystyle z}$ with probability ${\displaystyle 1-\epsilon }$.

A protocol is said to be ${\displaystyle \delta }$-secure if, for all ${\displaystyle (x,y)\in f^{-1}(0)}$ the distribution of the messages is ${\displaystyle \delta }$ close to a simulator distribution (in total variation distance), where the simulator distribution is independent of ${\displaystyle z}$.

The communication complexity of a CDS protocol P is the total number of bits of message sent by Alice and Bob. The CDS communication cost of a function, ${\displaystyle CDS_{\epsilon ,\delta }(f)}$ is the minimal communication cost of an ${\displaystyle \epsilon }$-correct, ${\displaystyle \delta }$ secure protocol that implements ${\displaystyle f}$. The randomness complexity and randomness cost of implementing a function in the CDS model are defined similarly, but consider the number of bits of shared random bits held by Alice and Bob.

Supposing we have an ${\displaystyle \epsilon }$-correct and ${\displaystyle \delta }$-secure CDS protocol, it is known that we can find a new protocol which reduces the correctness and privacy errors at the expense of an increased communication and randomness cost. More specifically, the following theorem has been proven^[4]:

Theorem (Amplification). A CDS protocol for f which supports a single-bit secret with privacy and correctness error of 1/3 can be transformed into a new CDS protocol with privacy and correctness error of ${\displaystyle 2^{-\Omega (k)}}$ and communication/randomness complexity which are larger than those of the original protocol by a multiplicative factor of O(k).

In fact, somewhat more than the above theorem is true in that the size of the secret can also be made to be of length ${\displaystyle k}$, while simultaneously reducing the correctness and privacy errors as above. The proof involves first encoding the secret ${\displaystyle z}$ into a secret sharing scheme, and then running the original CDS protocol on each share of the resulting scheme.

If a CDS protocol for a function ${\displaystyle f}$ is known, then certain simple modifications of ${\displaystyle f}$ have CDS protocols with similar efficiency.

The simplest case is to consider a CDS protocol for function ${\displaystyle f}$ and ask for a similarly efficient protocol for the negation of ${\displaystyle f}$, labelled ${\displaystyle \neg f}$. This is addressed by the following theorem^[4]

Theorem (CDS is closed under complement). Suppose that f has a CDS protocol with randomness cost of ${\displaystyle \rho }$ bits, communication complexity of ${\displaystyle t}$ bits, and privacy and correctness errors ${\displaystyle \delta =\epsilon =2^{-k}}$. Then ${\displaystyle \neg }$ has a CDS scheme with similar privacy and correctness errors, and randomness and communication complexity of ${\displaystyle O(k^{3}\rho ^{2}t+k^{3}\rho ^{3})}$.

The cost of a CDS protocol is also closed under formula's, in the following sense. Consider two functions ${\displaystyle f_{1}}$ and ${\displaystyle f_{2}}$. Then, the communication and randomness costs of ${\displaystyle f_{1}\wedge f_{2}}$ as well as ${\displaystyle f_{1}\vee f_{2}}$ are not much larger than the sum of the costs for ${\displaystyle f_{1}}$ and ${\displaystyle f_{2}}$. See Applebaum et al.^[4] for a precise statement.

Given a function ${\displaystyle f}$ we would like to understand the communication and randomness costs to implement ${\displaystyle f}$ in the CDS setting. Towards understanding this, protocols for implementing CDS have been developed (which give an upper bound on the cost) and lower bound strategies have been developed. For most functions, there is a large gap between the known upper and lower bound, so understanding the cost of CDS remains largely an open problem.

This section presents some of what is known so far about the cost of CDS.

A subject with a close relationship to CDS is secret sharing. Secret sharing constructions provide an upper bound on the cost of CDS protocols.

A secret sharing scheme encodes a secret, ${\displaystyle s}$ into a set of shares ${\displaystyle S_{1},...,S_{n}}$. Associated to any secret sharing scheme is an access structure, which consists of a set of authorized sets ${\displaystyle {\mathcal {A}}={A_{1},...,A_{k}}}$ with ${\displaystyle A_{i}\subseteq \{S_{1},...,S_{n}\}}$. The authorized sets are those subsets of the ${\displaystyle A_{i}}$ from which it is possible to recover the secret recorded into the scheme.

A succinct way to describe an access structure is in terms of a function ${\displaystyle f_{\mathcal {A}}:\{0,1\}^{n}\rightarrow \{0,1\}}$. Each subset of the shares ${\displaystyle K[x]\subset \{S_{1},...,S_{n}\}}$ is labelled by a string ${\displaystyle x\in \{0,1\}^{n}}$ such that ${\displaystyle x_{i}=1}$ if and only if ${\displaystyle S_{i}\in K}$. Then we define ${\displaystyle f_{\mathcal {A}}}$ to be such that ${\displaystyle f_{\mathcal {A}}(x)=1}$ if and only if ${\displaystyle K[x]\in {\mathcal {A}}}$. In words, the function ${\displaystyle f_{\mathcal {A}}}$ is 1 when given an authorized subset as input, and 0 otherwise.

A basic result in the theory of secret sharing is that an access structure ${\displaystyle {\mathcal {A}}}$ can be realized in a secret sharing scheme if and only if ${\displaystyle f_{\mathcal {A}}}$ is monotone.

The size of a secret sharing scheme is defined as the total number of bits in the shares ${\displaystyle S_{i}}$. For monotone functions, there is an upper bound on the communication cost in CDS for any monotone function ${\displaystyle f}$ in terms of the size of any secret sharing scheme with access structure given by ${\displaystyle f}$,^[1]

${\displaystyle CDS_{\epsilon =0,\delta =0}(f)\leq SharingSize(f)}$

For some concrete classes of secret sharing schemes, this relationship can be extended to general (non-monotone) Boolean functions. This leads to an upper bound on CDS cost in terms of the size of any span program^[5] that computes ${\displaystyle f}$,

${\displaystyle CDS_{\epsilon =0,\delta =0}(f)\leq SP_{k}(f)}$

The class of problems with efficient (polynomial size) span program is the complexity class ${\displaystyle Mod_{k}L}$, so problems in this class have efficient CDS protocols.

Using a matching vector family based construction, it has been proven that^[6]

${\displaystyle \forall f,\,\,\,\,\,\,CDS_{\epsilon =0,\delta =0}(f)\leq 2^{O({\sqrt {n\log n}})}}$.

The technique for this proof is similar to one used to prove upper bounds on private information retrieval^[7]. This upper bound on CDS also leads to sub-exponential upper bounds on the size of a large class of secret sharing schemes.^[8]

In a CDS protocol, the referee is given the inputs ${\displaystyle (x,y)}$. This means it is not clear if the messages sent by Alice and Bob need to, by themselves, determine the function value. Consequently there is not immediately a lower bound on the communication cost in CDS based on communication complexity.

Nonetheless, with some effort certain lower bounds on communication cost in CDS can be proven in terms of communication complexity. The first such bound proven is that^[9]

${\displaystyle CDS_{\epsilon =0.1,\delta =0.1}(f)\geq \Omega (\log R_{A\rightarrow B}(f)+R_{B\rightarrow A}(f))}$

where ${\displaystyle R_{A\rightarrow B}(f)}$ is the communication complexity of computing ${\displaystyle f}$ in the one-way communication model, where Alice sends a message to Bob and then Bob should determine the function value. The proof of this lower bounds works by showing that a referee who does not receive ${\displaystyle (x,y)}$ but gets an exponential number of samples of Alice and Bob's messages (using freshly drawn randomness for each sample) can determine ${\displaystyle f(x,y)}$. The above lower bound is tight in that there are functions saturating it up to constant factors.

Notice that the above bound is never better than logarithmic, since ${\displaystyle R_{A\rightarrow B}}$ is never larger than linear. Linear lower bounds have been proven on CDS, but these come at the expense of considering either perfect correctness or perfect security.^[10]

One result regarding linear lower bounds on CDS that doesn't assume perfect security or perfect correctness is a lower bound in terms of Arthur-Merlin proof complexity, considered in a communication complexity setting^[10]. This suggests that proving linear lower bounds in the case of ${\displaystyle \epsilon ,\delta >0}$ would constitute an interesting step towards proving linear lower bounds on (communication complexity variants of) Arthur-Merlin proofs, which is a well studied open problem in communication complexity.

The CDS setting where we allow Alice and Bob to share quantum entanglement, rather than only classically correlated bits, and to send quantum messages has also been considered^[3]. An initial result about this setting is that the communication cost in the quantum setting is never larger than the classical communication cost. This follows because a classical protocol remains secure under the formal definition of a quantum CDS protocol.

Quantum CDS is closely related to non-local quantum computation (NLQC). In particular, an example of NLQC known as ${\displaystyle f}$-routing is equivalent in a certain sense to quantum CDS: an ${\displaystyle f}$-routing protocol for a function ${\displaystyle f}$ can be transformed into quantum CDS protocol for the same function, and the resulting protcol uses similar resources. Conversely, a quantum CDS protocol can be transformed into an ${\displaystyle f}$-routing protocol for the same function, which uses similar communication and using entanglement equal to the amount of randomness+entanglement in the CDS protocol.

For certain partial functions, it is known that quantum CDS protocols can use exponentially fewer resources than any classical protocol^[11].