Placing Conditional Disclosure of Secrets in the Communication Complexity Universe

Abstract

In the conditional disclosure of secrets (CDS) problem (Gertner et al. in J Comput Syst Sci, 2000) Alice and Bob, who hold n-bit inputs x and y respectively, wish to release a common secret z to Carol, who knows both x and y, if and only if the input (x, y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some shared randomness, and the goal is to minimize the communication complexity while providing information-theoretic security. Despite the growing interest in this model, very few lower-bounds are known. In this paper, we relate the CDS complexity of a predicate f to its communication complexity under various communication games. For several basic predicates our results yield tight, or almost tight, lower-bounds of \(\Omega (n)\) or \(\Omega (n^{1-\epsilon })\), providing an exponential improvement over previous logarithmic lower-bounds. We also define new communication complexity classes that correspond to different variants of the CDS model and study the relations between them and their complements. Notably, we show that allowing for imperfect correctness can significantly reduce communication—a seemingly new phenomenon in the context of information-theoretic cryptography. Finally, our results show that proving explicit super-logarithmic lower-bounds for imperfect CDS protocols is a necessary step towards proving explicit lower-bounds against the communication complexity class \(\text {AM}^{\text {cc}}\), or even \(\text {AM}^{\text {cc}}\cap \text {co-AM}^{\text {cc}}\)—a well known open problem in the theory of communication complexity. Thus imperfect CDS forms a new minimal class which is placed just beyond the boundaries of the “civilized” part of the communication complexity world for which explicit lower-bounds are known.

Appendices

A \(\pmb {\mathrm {ppCDS}}\) protocol for \(\pmb {\mathsf {NEQ}}_{\varvec{n}}\)

Lemma 15

For every constant c, there is a \(\mathrm {CDS} \) protocol for \(\mathsf {NEQ}_n\) with perfect privacy and correctness error of \(2^{-c}\) that supports secrets of length c bits with communication complexity of 4c bits. The randomness complexity is \(O(n+c)\) and it can be reduced to \(O(\log n+c+\log (1/\epsilon ))\), for an arbitrary \(\epsilon >0\), at the expense of increasing the correctness error to \(\delta =2^{-c}+\epsilon \). Moreover, the protocol has a ZPP-type decoder, i.e., (on 1-inputs) the decoder never errs but may output a special “I don’t know” symbol with probability at most \(\delta \).

Proof

The protocol is defined as follows.

• Shared Randomness: The parties share a pairwise independent hash function h from n-bits to c-bits, and a random c-bit string r.

• Alice sends \((h(x), z\cdot h(x)+r)\) and Bob sends \((h(y), z\cdot h(y)+r)\), where multiplication is over the field \({\mathbb {F}}_{2^c}\).

• Decoding: Given (a, b) from Alice and (c, d) from Bob, if \((a-c)=0\) output “I don’t know”, else, output \((b-d)/(a-c)\).

By pairwise independent, when \(x\ne y\) the probability of error (i..e, \(a-c=0\)) is at most \(2^{-c}\). Privacy follows by noting that when \(x=y\), the pair \((a,b)=(c,d)\) is distributed uniformly over \({\mathbb {F}}_{2^c}\times {\mathbb {F}}_{2^c}\).

To reduce the randomness complexity replace h with \(\epsilon \)-almost 2-wise independent hash function h. The error probability grows by \(\epsilon \). To keep perfect privacy, make sure that h is 1-wise independent (i.e., for every x, the value h(x) is uniform). It is possible to sample such a hash function using \(O(\log n+c+\log (1/\epsilon ))\) random bits. \(\square \)

B Completeness for \(\pmb {\mathrm {HVSZK'}^{\mathrm {cc}}}\) – Proof of Lemma 13

Lemma 13 is proven along the lines of the construction showing a reduction to the “Statistical Difference” problem from any problem with honest-verifier \(\mathrm {HVSZK}^{\mathrm {cc}} \) proofs in the computational setting. We follow rather closely such a reduction presented in [55, Chap. 3].

Proof of Lemma 13

We are given an \(\mathrm {HVSZK'}^{\mathrm {cc}} \) protocol \(\Pi \) for the function f with complexity t, completeness error c, soundness error s, and simulation error \(\eta \) which is, by assumption, smaller than \(O(1/n^3)\). We assume that both the completeness error and soundness error are smaller than some universal constant \(\epsilon \) whose value will be determined by the proof. This is without loss of generality since standard boosting techniques (e.g., taking majority over multiple copies of the protocol) reduce soundness and correctness error to \(\epsilon \) with a multiplicative overhead of \(O(\log (1/\epsilon ))\) in the simulation error and in the randomness and communincation complexity measures of the protocol. Let the various quantities \(c_V\), \(c_M\), \(c_S\), \(\rho _V\), and \(\rho _S\) be as in Definition 7 – note that all of these are at most t which, in turn, is at most n. Let the number of rounds in the protocol be v – this means the number of messages (sent between Alice and Merlin) is 2v. For notational convenience, we assume, without loss of generality, that the final message is sent by Alice and consists of all the random bits she shared with Bob (this is the \((2v-1)^{\text {th}}\) message, and the \(2v^{\text {th}}\) message is empty).

Denote by S the simulator for this \(\mathrm {HVSZK'}^{\mathrm {cc}} \) protocol \(\Pi \). Recall that S (written as \(\Pi _S\) in Definition 7) is a two-party protocol with shared randomness that simulates the views of Alice and Bob. That is, S is being executed by two parties A(x) and B(y), such that for every input (x, y) with \(f(x,y)=1\), the output distribution \(({\widehat{V}}_A,{\widehat{V}}_B)\) is statistically close to that of the actual views of Alice and Bob in \(\Pi (x,y)\). Throughout this proof, we will only use the part of the simulated transcript corresponding to the communication between Alice and Merlin, and the shared randomness between Alice and Bob, and we simply ignore the rest of the simulator’s output.

Fix some input (x, y). Denote by \(S_i\) (for \(i \in [2v]\)) the protocol that runs the simulator protocol S on (x, y) and outputs just the first i simulated messages between Alice and Merlin. We define the following two intermediate protocols:

• The protocol \(\Phi _0\) runs one instance each of \(S_2, S_4, \dots , S_{2v}\), and outputs the concatenation of their outputs.

• The protocol \(\Phi _1\) works as follows:

  1. 1.

     Run one instance each of \(S_1, S_3, \dots , S_{2v-1}\), and output their outputs.

  2. 2.

     Output \((\rho _V-4)\) uniformly random bits.

  3. 3.

     Run S independently \(100\log {c_M}\) times. If a majority of the resulting transcripts are rejecting, set Z to be a random string of length \((vc_M+2)\), and, otherwise set Z to be the empty string. Append Z to the output.

So far, the outputs of either of \(\Phi _0\) and \(\Phi _1\) are \(O(t^2)\) bits long (as the output of any \(S_i\) is at most O(t) bits), and the same is true of their communication and randomness complexities. We first show the following differences in the behaviour of the entropies of the output distributions of the above protocols depending on the value of f(x, y).

Proposition 3

For sufficiently large n’s, if \(f(x,y) = 1\), then \(H(\Phi _0) \ge H(\Phi _1) + 1\), and if \(f(x,y) = 0\), then \(H(\Phi _1) \ge H(\Phi _0) + 1\).

We prove Proposition 3 in Section B.1. The next step is to extract this purported difference in the entropies of the protocols. Let the output lengths of \(\Phi _0\) and \(\Phi _1\) be m, and say they each use \(\rho \) bits of shared randomness. (Recall that both \(m=O(t^2)\) and \(\rho =O(t^2)\).) Let \(q = \Theta (\rho ^2)\) be a parameter whose exact value will be determined later. Let \(\Phi _0^q\) (respectively, \(\Phi _1^q\)) denote the protocol obtained by repeating \(\Phi _0\) (respectively, \(\Phi _1\)) q times. Pick a family \(G = \left\{ g: \left\{ 0,1 \right\} ^{q(m+\rho )}\rightarrow \left\{ 0,1 \right\} ^{qm} \right\} \) of 2-universal hash functions that can be sampled with \(O(q(m+\rho ))\) bits of randomness (e.g., by using Toeplitz matrices). For \(r \in \left\{ 0,1 \right\} ^{q\rho }\), denote by \(\Phi _0^q(r)\) the protocol \(\Phi _0^q\) run with r as the shared randomness.

Our final protocols are defined as follow:

• \(\Pi _0\):

  1. 1.

     Pick an \(r {\mathop {\leftarrow }\limits ^{R}}\left\{ 0,1 \right\} ^{q\rho }\) and run \(\Phi _0^q(r)\) to get its output \(\phi _0\).

  2. 2.

     Run \(\Phi _1^q\) (with independent fresh randomness) to get its output \(\phi _1\).

  3. 3.

     Pick a hash function \(g {\mathop {\leftarrow }\limits ^{R}}G\) and output \((\phi _0,g,g(r,\phi _1))\).

• \(\Pi _1\):

  1. 1.

     Run \(\Phi _0^q\) to get its output \(\phi _0\).

  2. 2.

     Pick a hash function \(g {\mathop {\leftarrow }\limits ^{R}}G\) and an \(r' {\mathop {\leftarrow }\limits ^{R}}\left\{ 0,1 \right\} ^{qm}\) and output \((\phi _0,g,r')\).

The communication and randomness complexities and the output lengths of the above protocols are all \(O(q(m+\rho )) = O(t^6)\). To complete the proof of the lemma, it suffices to prove the following implications

$$\begin{aligned} H(\Phi _0) > H(\Phi _1) + 1 \quad&\Rightarrow \quad \Delta \left( \Pi _0(x,y) ; \Pi _1(x,y) \right) \ge 0.99, \end{aligned}$$

(8)

$$\begin{aligned} H(\Phi _1) > H(\Phi _0) + 1 \quad&\Rightarrow \quad \Delta \left( \Pi _0(x,y) ; \Pi _1(x,y) \right) \le 0.01. \end{aligned}$$

(9)

Our analysis will be based on the entropy that the random string \(r \in \left\{ 0,1 \right\} ^\rho \) and the output of \(\Phi _1\) have conditioned on the output of \(\Phi _0(r)\). Denoting the random variable corresponding to r by R, this quantity is written as follows:

$$\begin{aligned} H(R,\Phi _1|\Phi _0(R))&= H(\Phi _1) + H(R|\Phi _0(R))\\&= H(\Phi _1) + H(R,\Phi _0(R)) - H(\Phi _0(R))\\&= H(\Phi _1) + H(R) - H(\Phi _0)\\&= \rho + H(\Phi _1) - H(\Phi _0) \end{aligned}$$

where the second-to-last equality follows from the fact that r is the only source of randomness for the protocol \(\Phi _0\).

The statistical distance between the outputs of \(\Pi _0\) and \(\Pi _1\) is that between

$$\begin{aligned}(\Phi _0^q(R^q),G,G(R^q,\Pi _1^q)) \qquad \text {and} \qquad (\Phi _0^q(R^q),G,U),\end{aligned}$$

where G is the hash function chosen by the protocol, U is the uniform distribution over strings of the appropriate length, and \(\Phi _0^q\), \(\Phi _1^q\) and \(R^q\) denote independent q-fold repetitions of \(\Phi _0\), \(\Phi _1\) and R, respectively.

Suppose that \(H(\Phi _1) \ge H(\Phi _0) + 1\). We wish to show that the hash of \((R^q,\Phi _1^q)\) is close to uniform. We do this using the following appropriate leftover hash lemma, which follows from results in [34, 50] (see Theorem 4.8 and Lemma 4.9 in [13] for the necessary summary).

Lemma 16

(Leftover Hash Lemma with Flattening) For some natural numbers q, n and m, let \(G = \left\{ g: \left\{ 0,1 \right\} ^{qn} \rightarrow \left\{ 0,1 \right\} ^{m} \right\} \) be a family of universal hash functions. For any random variables (X, Y) where X is distributed over \(\left\{ 0,1 \right\} ^n\), let \((X^q,Y^q)\) denote the q-fold repetition of (X, Y). Then, for any \(\delta \ge 0\),

$$\begin{aligned} \Delta \left( (Y^q,G,G(X^q,Y^q)) ; (Y^q,G,U) \right) \le 2^{-\frac{q\delta ^2}{3n^2}} + \frac{1}{2} \cdot \sqrt{2^{-q(H(X|Y) - \delta )} \cdot 2^{m}} \end{aligned}$$

where U is uniform over \(\left\{ 0,1 \right\} ^{qm}\).

In our case, the variable X corresponds to \((R,\Phi _1)\), Y corresponds to \(\Phi _0(R)\), and the conditional entropy H(X|Y) is at least \((\rho +1)\). We pick \(\delta \) to be a small constant (say 0.01), and set q to be \(dt^4\) for a constant d that is large enough (say \(10^5\)) for the following bounds. The length of the output of the hash function here is \(q\rho \), and applying Lemma 16, we have the following:

$$\begin{aligned} \Delta \left( \Pi _0 ; \Pi _1 \right)&= \Delta \left( (\Phi _0^q(R^q),G,G(R^q,\Pi _1^q)) ; (\Phi _0^q(R^q),G,U) \right) \\&\le 2^{-\frac{10^5t^4 \cdot \delta ^2}{3 \cdot O(t^2)^2}} + \frac{1}{2} \cdot \sqrt{2^{-q(\rho +1-\delta -\rho ))}}\\&\le 0.01 \end{aligned}$$

This proves Eq (8).

Next, suppose that \(H(\Phi _0) \ge H(\Phi _1) + 1\). In this case, \(H(R,\Phi _1|\Phi _0(R))\) is at most \((\rho -1)\). In this case, we wish to show that the above distributions are far. We make use of the following lemma that is again to be found in [34] (as Theorem 2).

Lemma 17

Let (X, Y) be random variables where X is distributed over \(\left\{ 0,1 \right\} ^n\), and let \((X^q,Y^q)\) denote their q-fold repetition. For any \(\delta \in [0,n]\), and any y in the support of \(Y^q\), there exists a set \(T^\delta _y \subseteq \left\{ 0,1 \right\} ^{qn}\) that is of size at most \(2^{q(H(X|Y)+\delta )}\) such that:

$$\begin{aligned} \Pr _{(x,y)\leftarrow (X^q,Y^q)}\left[ x \in T^\delta _y \right] \ge 1 - 2 \cdot 2^{-\frac{q\delta ^2}{3n^2}} \end{aligned}$$

Taking X, Y and \(\delta \) to be as earlier, Lemma 17 implies that for any \(\phi _0\) in the support of \(\Phi _0^q(R)^q\), there is a set \(T^{\delta }_{\phi _0}\) of size at most \(2^{q(\rho - 1 + \delta )}\) such that:

$$\begin{aligned} \Pr _{r\leftarrow \left\{ 0,1 \right\} ^{q\rho },\phi _0\leftarrow \Phi _0^q(r),\phi _1\leftarrow \Phi _1^q}\left[ (r,\phi _1) \in T^\delta _{\phi _0} \right] \ge 1 - 2 \cdot 2^{-\frac{10^5 t^4 \delta ^2}{3\cdot O(t^2)^2}} \end{aligned}$$

For a hash function g, let \(g(T^{\delta }_{\phi _0})\) denote the set of images of elements of \(T^{\delta }_{\phi _0}\); note that \(\left| g(T^{\delta }_{\phi _0})\right| \le \left| T^{\delta }_{\phi _0}\right| \le 2^{q(\rho -1+\delta )}\). The statistical distance between \(\Pi _0\) and \(\Pi _1\) can be written as follows:

$$\begin{aligned} \Delta \left( \Pi _0 ; \Pi _1 \right)&= \Delta \left( (\Phi _0^q(R^q),G,G(R^q,\Phi _1^q)) ; (\Phi _0^q(R^q),G,U) \right) \\&\ge \Pr _{r\leftarrow \left\{ 0,1 \right\} ^{q\rho },\phi _0\leftarrow \Phi _0^q(r),\phi _1\leftarrow \Phi _1^q,g\leftarrow G}\left[ g(r,\phi _1) \in g(T^\delta _{\phi _0}) \right] \\&\quad - \Pr _{\phi _0\leftarrow \Phi _0^q,g\leftarrow G,r'\leftarrow \left\{ 0,1 \right\} ^{q\rho }}\left[ r' \in g(T^\delta _{\phi _0}) \right] \\&\ge 1 - 2 \cdot 2^{-\frac{10^5 t^4 \delta ^2}{3\cdot O(t^2)^2}} - \frac{2^{q(\rho -1-\delta )}}{2^{q\rho }}\\&\ge 0.99, \end{aligned}$$

establishing Eq. (9). Lemma 13 follows. \(\square \)

1.1 B.1 Proof of Proposition 3

Recall that we have fixed an input (x, y) and recall that Z is a random variable that consists of \((vc_M+2)\) random bits if the majority of \(100\log {c_M}\) runs of S on (x, y) produces rejecting transcripts, and is empty otherwise. We can now write the entropies of the outputs of the two protocols as follows:

$$\begin{aligned} H(\Phi _0)&= \sum _{i=1}^v H(S_{2i})\\ H(\Phi _1)&= \sum _{i=1}^v H(S_{2i-1}) + (\rho _V-4) + H(Z). \end{aligned}$$

The difference between these entropies is:

$$\begin{aligned} H(\Phi _1) - H(\Phi _0) = \left( \rho _V - \sum _{i=1}^v (H(S_{2i}) - H(S_{2i-1}))\right) + H(Z) - 4. \end{aligned}$$

(10)

To analyze the first expression in the RHS, we make use of the following corollary of Lemmas 3.3.8, 3.3.11, and 3.3.12 from [55]. While these were originally stated in the computational setting, it may be seen that these lemmas only concern the properties of the simulator’s output in an interactive protocol, and are oblivious to the model of computation of the verifier as long as all of its randomness is accounted for in the following statement.

Proposition 4

On input (x, y), define the following quantities: Let \(\eta =\eta _{x,y}\) be the statistical distance between the distribution of the output of S and that of the actual transcript of \(\Pi \) on the input (x, y), let \(p=p_{x,y}\) be the probability that S outputs an accepting transcript, and let \(q=q_{x,y}\) be the maximum, over all strategies of Merlin, that Alice and Bob accept. Then, the expression

$$\begin{aligned}A=\rho _V - \sum _{i=1}^v \left( H(S_{2i}) - H(S_{2i-1})\right) \end{aligned}$$

satisfies the upper-bound

$$\begin{aligned} A \le 2v \left( c_M \eta + h(\eta ) \right) , \end{aligned}$$

where \(h(\cdot )\) denotes the binary Shannon entropy. If \(p \ge q\), then we also have the lower-bound

$$\begin{aligned} A \ge d(p||q), \end{aligned}$$

where \(d(\cdot ||\cdot )\) denotes the binary KL-divergence.

The rest of the analysis combines the above proposition with simple upper and lower bounds on the entropy of the random variable Z.

The case \(f(x,y) = 1\). In order to show that \(H(\Phi _1) - H(\Phi _0) < -1\), we have to upper-bound the entropy of the variable Z. Denote by E the event that a majority of the \(100\log {c_M}\) runs of S (used in sampling Z) produce rejecting transcripts. As long as the correctness and simulation errors are small enough constants, by a Chernoff bound, \(\Pr \left[ E \right] \) is at most, say, \(1/5c_M^3\). Also, unless E happens, Z is empty and has no entropy. Since E is also completely determined by Z, we may bound H(Z) as:

$$\begin{aligned} H(Z)&= H(Z,E) = H(E) + H(Z|E) \le h\left( \frac{1}{5c_M^3}\right) + \frac{1}{5c_M^3} \cdot (c_Mv+2) \nonumber \\&\quad + \left( 1 - \frac{1}{5c_M^3}\right) \cdot 0 < 2 \end{aligned}$$

(11)

Putting together Eqs. (10) and (11) and the upper-bound part of Proposition 4, we have:

$$\begin{aligned} H(\Phi _1) - H(\Phi _0)< 2v \left( c_M \eta + h(\eta )\right) - 2< 2c_M \left( c_M \eta + \eta \log (4/\eta )\right) - 2 \end{aligned}$$

where the last inequality is due to the fact that the round complexity v is upper-bounded by the communication complexity \(c_M\), and due to the inequality \(h(p)<p\log (4/p)\) for any \(p\in [0,\frac{1}{2})\) from [20, Theorem 2.2]. Recall that the simulation error, \(\eta \), is smaller than \(O(1/n^3)\) which, for sufficently large n is smaller than \(1/(4c_M^2)\). We therefore conclude that \(H(\Phi _1) - H(\Phi _0) <-1\), as required.

The case \(f(x,y) = 0\). Our goal now is to show that \(H(\Phi _1) - H(\Phi _0) > 1\). We distinguish between two cases. First, if the probability p that S outputs accepting transcripts is at most 1/4 then, again by the Chernoff bound, the probability that Z is empty is at most \(1/5c_M^3\). Thus,

$$\begin{aligned}H(\Phi _1) > H(Z) \ge (1-1/5c_M^3) \cdot (c_Mv+2) \ge (c_Mv+1) \ge H(\Phi _0)+1,\end{aligned}$$

and we are done.

Next suppose that p is larger than 1/4. By the soundness of the \(\mathrm {HVSZK'}^{\mathrm {cc}} \) protocol, the maximum probability that Alice accepts for any Merlin strategy, denoted by q, is at most s, the soundness error. Thus, d(p||q) is at least d(0.25||s), which in turn is at least 5 if s is a small enough constant. Now, using Eq. (10), the lower-bound part of Proposition 4, and the fact that \(H(Z) \ge 0\), we have:

$$\begin{aligned} H(\Phi _1) - H(\Phi _0) \ge d(p||q) - 4 \ge 1. \end{aligned}$$

This completes the proof of Proposition 3. \(\square \)