The Communication Complexity of Private Simultaneous Messages, Revisited

Abstract

Private simultaneous message (PSM) protocols were introduced by Feige, Kilian, and Naor (STOC ’94) as a minimal non-interactive model for information theoretic three-party secure computation. While it is known that every function \(f:\{0,1\}^k\times \{0,1\}^k \rightarrow \{0,1\}\) admits a PSM protocol with exponential communication of \(2^{k/2}\) (Beimel et al., TCC ’14), the best known (non-explicit) lower-bound is \(3k-O(1)\) bits. To prove this lower-bound, FKN identified a set of simple requirements, showed that any function that satisfies these requirements is subject to the \(3k-O(1)\) lower-bound, and proved that a random function is likely to satisfy the requirements. We revisit the FKN lower-bound and prove the following results: (Counterexample) We construct a function that satisfies the FKN requirements but has a PSM protocol with communication of \(2k+O(1)\) bits, revealing a gap in the FKN proof. (PSM lower-bounds) We show that by imposing additional requirements, the FKN argument can be fixed leading to a \(3k-O(\log k)\) lower-bound for a random function. We also get a similar lower-bound for a function that can be computed by a polynomial-size circuit (or even polynomial-time Turing machine under standard complexity-theoretic assumptions). This yields the first non-trivial lower-bound for an explicit Boolean function partially resolving an open problem of Data, Prabhakaran, and Prabhakaran (Crypto ’14, IEEE Information Theory ’16). We further extend these results to the setting of imperfect PSM protocols which may have small correctness or privacy error. (CDS lower-bounds) We show that the original FKN argument applies (as is) to some weak form of PSM protocols which are strongly related to the setting of Conditional Disclosure of Secrets (CDS). This connection yields a simple combinatorial criterion for establishing linear \(\varOmega (k)\)-bit CDS lower-bounds. As a corollary, we settle the complexity of the inner-product predicate resolving an open problem of Gay, Kerenidis, and Wee (Crypto ’15).

A Lower-Bound for Weakly-Private Fully-Revealing Protocols

In this section we provide an alternative combinatorial proof to Theorem 8 by following the outline of the original FKN argument. Recall that f is weakly non-degenerate if for every x, there exists y such that \(f(x,y)\ne f({\bar{x}},y)\).

Let \(\varPi =(\varPi _A,\varPi _B,g)\) be a perfect PSM protocol for f whose shared randomness is sampled uniformly from the set \({\mathcal {R}}\). In the following we let \(C_r(x,y)=(\varPi _A(x,r),\varPi _B(x,r))\) denote the function that for randomness r, maps the inputs of Alice and Bob, x, y, to the messages (a, b). To prove Theorem 8 we show that at least \(U^2/(2M)\) different messages (a, b) are being sent in \(\varPi \). In fact, we will show that this happens even if we restrict our attention to some well chosen (ordered) subset of random strings \({\mathbf {r}}=(r_1,\ldots ,r_L)\). We will also restrict our attention only to useful inputs (x, y) (for which \(f(x,y)=f({\bar{x}},y)\)). That is, we will prove that

$$\begin{aligned} |\bigcup _{r\in {\mathbf {r}}} \left\{ C_r(x,y): (x,y) \text { is useful}\right\} |\ge U^2/(4M) \end{aligned}$$

(17)

For a given \({\mathbf {r}}=(r_1,\ldots ,r_L)\) consider the following counting scheme.

Clearly, the output is equal to the LHS of (17). The lower-bound will be established by showing that there are not too many collisions. We begin by noting that \(C_r\) is injective for any r.

Claim 25

For every r, the function \(C_r(\cdot )\) is injective.

Proof

Suppose that \(C_r(x,y)=C_r(x',y')\) for some r. Since the protocol is fully revealing, it must hold that \(y=y'\) and \(x'\in \left\{ x,{\bar{x}}\right\} \). Assume, toward a contradiction, that \(x'={\bar{x}}\), and let \(a=\varPi _A(x,r)=\varPi _A({\bar{x}},r)\). For any y, let \(b(y)=\varPi _B(y;r)\). Then, by perfect correctness, it holds that

$$\begin{aligned} f(x,y)=g(a,b(y))=f({\bar{x}},y) \end{aligned}$$

for every y. Contradicting the fact that f is weakly non-degenerate. \(\square \)

Suppose that (x, y) and \((x',y')\) collide over r and \(r'\). That is, \(c=C_r(x,y)=C_{r'}(x',y')\). Then either the collision is trivial, i.e., \((x,y)=(x',y')\), or \((x,y)\ne (x',y')\). In the latter case, it must hold that \(x'={\bar{x}}\) and \(y'=y\) since the protocol is fully revealing. Indeed, otherwise, the value of \((x[1:k-1],y)\) cannot be recovered from c. We refer to this type of collision as non-trivial.⁹

While it easy to get some upper-bound on the amount of non-trivial collisions, it is somewhat tricky to upper-bound the number of trivial collisions. For this reason, we treat the two cases asymmetrically. In particular, getting back to our counting algorithm, consider a useful (x, y) which is excluded in the i-th step. We refer to this exclusion as non-trivial if there exists some \(r_j,j<i\) for which \(C_{r_i}(x,y)=C_{r_j}({\bar{x}},y)\). Otherwise, we refer to the exclusion as trivial. In the latter case, \(c=C_{r_i}(x,y)\) appears in the image of \(C_{r_j}\) for (one or more) \(r_j\),\(j<i\) but only as an image of (x, y).

The following claim relates the number of non-trivial collisions to the size of the largest complement similar rectangle of f. (Recall that the latter is upper-bounded by M.)

Claim 26

Every pair of distinct random string \(r\ne r'\) has at most M non-trivial collisions. Consequently, for every choice of \({\mathbf {r}}=(r_1,\ldots ,r_L)\), the total number of non-trivial exclusions in the above process is at most \(M L^2/2\).

Proof

Fix a pair of random strings \(r\ne r'\) and consider all their non-trivial collisions \((x_1,y_1),\ldots , (x_t,y_t)\). For every i, it holds that \(C_r(x_i,y_i)=C_{r'}({\bar{x}}_i,y_i)\) and therefore \(\varPi _A(x_i,r)=\varPi _A({\bar{x}}_i,r')\) and \(\varPi _B(y_i,r)=\varPi _B(y_i,r')\). It follows that for every i, j, \(C_r(x_i,y_j)=C_{r'}({\bar{x}}_i,y_j)\), and so by perfect correctness the rectangle \(R=\left\{ (x_i,y_j): 1\le i,j \le t\right\} \) is complement similar. We conclude that r and \(r'\) can have at most M non-trivial collisions, which implies that the total number of non-trivial collisions over \({\mathbf {r}}\) is at most \(\sum _{i=1}^{L-1} i M\le M L^2/2\). \(\square \)

The next claim handles trivial collisions by relating their number to the number of non-trivial collisions.

Claim 27

For every \(1\le L \le |{\mathcal {R}}|\), there exists a sequence of L distinct strings \({\mathbf {r}}=(r_1,\ldots ,r_L)\) for which the total number of trivial exclusions in the above process is upper-bounded by the number of non-trivial exclusions.

Proof

By induction on L. The case of \(L=1\) trivially holds. Fix some sequence \({\mathbf {r}}=(r_1,\ldots ,r_{L-1})\) of length \(L-1\) for which the claim holds. We show that we can always extend \({\mathbf {r}}\) by an additional string \(r\notin {\mathbf {r}}\) such that T(r), the number of trivial exclusions contributed by r, is upper-bounded by N(r), the number of non-trivial exclusions contributed by r. For this aim, we will show that the expectation, over a random \(r\notin {\mathbf {r}}\), of \(\delta (r)=N(r)-T(r)\) is positive.

For every useful (x, y) and transcript c, let \(N_{x,y,c}(r)\) be an indicator that takes the value 1 if \(C_r(x,y)=c\) and there exists \(r'\in {\mathbf {r}}\) for which \(C_{r'}({\bar{x}},y)=c\). Similarly, let \(T_{x,y,c}(r)\) be an indicator that takes the value 1 if \(C_r(x,y)=c\) and there exists \(r'\in {\mathbf {r}}\) for which \(C_{r'}(x,y)=c\) but there is no \(r''\in {\mathbf {r}}\) for which \(C_{r''}({\bar{x}},y)=c\). Note that \(N(r)=\sum _{x,y,c} N_{x,y,c}(r)\) and \(T(r)=\sum _{x,y,c} T_{x,y,c}(r)\). It will be useful to “symmetrize” \(N(r)-T(r)\) around x and \({\bar{x}}\) and write it as

$$\begin{aligned} \frac{1}{2}\sum _{x,y,c} \left( N_{x,y,c}(r)-T_{x,y,c}(r)\right) + \left( N_{{\bar{x}},y,c}(r)-T_{{\bar{x}},y,c}(r)\right) . \end{aligned}$$

Hence, by the linearity of expectation, it suffices to show that for every x, y, c,

$$\begin{aligned} {{\,\mathrm{{\mathsf {E}}}\,}}_{r:r\notin {\mathbf {r}}}[\left( N_{x,y,c}(r)-T_{x,y,c}(r)\right) + \left( N_{{\bar{x}},y,c}(r)-T_{{\bar{x}},y,c}(r)\right) ]\ge 0. \end{aligned}$$

(18)

We establish this via case analysis.

1. 1.

   c is new. That is, for every \(r'\in {\mathbf {r}}\), neither \(C_{r'}(x,y)=c\) nor \(C_{r'}({\bar{x}},y)=c\). Then, for every r, \(N_{x,y,c}(r)=T_{x,y,c}(r)=N_{{\bar{x}},y,c}(r)=T_{{\bar{x}},y,c}(r)=0\) and (18) holds.

2. 2.

   c already appears both under (x, y) and \(({\bar{x}},y)\). That is, there exists \(r',r''\in {\mathbf {r}}\) for which \(C_{r'}(x,y)=C_{r''}({\bar{x}},y)=c\). Then, for every \(r\notin {\mathbf {r}}\),

   $$\begin{aligned} N_{x,y,c}(r)=N_{{\bar{x}},y,c}(r)\ge 0, \quad \text {and} \quad T_{x,y,c}(r)=T_{{\bar{x}},y,c}(r)=0, \end{aligned}$$

   where the inequality is strict when \(C_{r}(x,y)=c\). Equation (18) follows.

3. 3.

   c already appears under (x, y) (i.e., \(\exists r'\in {\mathbf {r}}\) s.t. \(C_{r'}(x,y)=c\)) but never appeared under \(({\bar{x}},y)\) (i.e., \(\not \exists r'\in {\mathbf {r}}\) s.t. \(C_{r'}({\bar{x}},y)=c\)). In this case, we can partition all the \(r\notin {\mathbf {r}}\) to three types.

   • (Bad) \(C_r(x,y)=c\). In this case, \(N_{x,y,c}(r)-T_{x,y,c}(r)=-1\) and \(N_{{\bar{x}},y,c}(r)=T_{{\bar{x}},y,c}(r)=0\) (since \(C_r({\bar{x}},y)\ne c\) due to injectivity).

   • (Good) \(C_r({\bar{x}},y)=c\). In this case \(N_{{\bar{x}},y,c}(r)-T_{{\bar{x}},y,c}(r)=1\) and \(N_{x,y,c}(r)=T_{x,y,c}(r)=0\) (since \(C_r(x,y)\ne c\) due to injectivity).

   • (Neutral) \(C_r(x,y),C_r({\bar{x}},y)\ne c\). In this case, \(N_{x,y,c}(r)=T_{x,y,c}(r)=N_{{\bar{x}},y,c}(r)=T_{{\bar{x}},y,c}(r)=0\).

   We argue that outside \({\mathbf {r}}\), there are more Good r’s than Bad r’s. Indeed, by perfect privacy, the total number of Good r’s among all \(r\in {\mathcal {R}}\) is equal to the total number of Bad r’s among all \(r\in {\mathcal {R}}\). Since \({\mathbf {r}}\) contains at least one Bad string but not a single Good string, the set \({\mathcal {R}}\setminus {\mathbf {r}}\) contains more Good strings than bad strings. Hence, (18) follows.

4. 4.

   The last case is symmetric to the previous case (i.e., c already appears under \(({\bar{x}},y)\) but never appeared under (x, y)). This case is handled similarly to the previous case.

This completes the proof of Claim 27. \(\square \)

In order to complete the argument, we prove a lower-bound on the number of random strings. Recall that U denotes the number of useful inputs.

Claim 28

The size of \({\mathcal {R}}\) is at least U / M.

Proof

Let \({\mathcal {U}}\) denote the set of all useful inputs. Fix some random string \(r\in {\mathcal {R}}\). We count the number of non-trivial collisions \(\ell \) with r. That is,

$$\begin{aligned} \ell =|\left\{ (x,y,r'): (x,y)\in {\mathcal {U}}\text { and } C_r(x,y)=C_{r'}({\bar{x}},y)\right\} |. \end{aligned}$$

Since \(C_r\) is injective (Claim 25), the set \(C_r({\mathcal {U}})\) consists of at least U transcripts. By perfect privacy, each such transcript \(c= C_r(x,y), (x,y)\in {\mathcal {U}}\) must be an image of \(({\bar{x}},y)\) under some (different) \(C_{r'}\). Hence, \(\ell \ge U\). On the other hand, by Claim 26, each pair of distinct \(r\ne r'\) can have at most M non-trivial collisions, and therefore \(\ell \le |{\mathcal {R}}|M\). The claim follows. \(\square \)

We can now complete the proof. Let \(L= U/(2M)<|{\mathcal {R}}|\). Apply the counting algorithm to a sequence \({\mathbf {r}}=(r_1,\ldots ,r_L)\) of L distinct strings which satisfies Claim 27. Since \(C_r\) is injective for every \(r\in {\mathbf {r}}\), Step 2a is performed LU times, out of which there are at most \(M L^2/2\) non-trivial exclusions (Claim 27) and \(M L^2/2\) trivial exclusions (Claim 27). Hence, S contains at least \(LU-ML^2=U^2/(4M)\) strings. The theorem follows. \(\square \)