TY - GEN
T1 - Optimal linear multiparty conditional disclosure of secrets protocols
AU - Beimel, Amos
AU - Peter, Naty
N1 - Publisher Copyright:
© 2018, International Association for Cryptologic Research.
PY - 2018/1/1
Y1 - 2018/1/1
N2 - In a k-party CDS protocol, each party sends one message to a referee (without seeing the other messages) such that the referee will learn a secret held by the parties if and only if the inputs of the parties satisfy some condition (e.g., if the inputs are all equal). This simple primitive is used to construct attribute based encryption, symmetrically-private information retrieval, priced oblivious transfer, and secret-sharing schemes for any access structure. Motivated by these applications, CDS protocols have been recently studied in many papers. In this work, we study linear CDS protocols, where each of the messages of the parties is a linear function of the secret and random elements taken from some finite field. Linearity is an important property of CDS protocols as many applications of CDS protocols required it. Our main result is a construction of linear k-party CDS protocols for an arbitrary function f : [N]k→ { 0,1} with messages of size O(N(k-1)/2) (a similar result was independently and in parallel proven by Liu et al. [27]). By a lower bound of Beimel et al. [TCC 2017], this message size is optimal. We also consider functions with few inputs that return 1, and design more efficient CDS protocols for them. CDS protocols can be used to construct secret-sharing schemes for uniform access structures, where for some k all sets of size less than k are unauthorized, all sets of size greater than k are authorized, and each set of size k can be either authorized or unauthorized. We show that our results imply that every k-uniform access structure with n parties can be realized by a linear secret-sharing scheme with share size min {(O(n/k))(k-1)/2,O(n · 2n/2)}. Furthermore, the linear k-party CDS protocol with messages of size O(N^(k-1)/2) was recently used by Liu and Vaikuntanathan [STOC 2018] to construct a linear secret-sharing scheme with share size O(20.999n) for any n-party access structure.
AB - In a k-party CDS protocol, each party sends one message to a referee (without seeing the other messages) such that the referee will learn a secret held by the parties if and only if the inputs of the parties satisfy some condition (e.g., if the inputs are all equal). This simple primitive is used to construct attribute based encryption, symmetrically-private information retrieval, priced oblivious transfer, and secret-sharing schemes for any access structure. Motivated by these applications, CDS protocols have been recently studied in many papers. In this work, we study linear CDS protocols, where each of the messages of the parties is a linear function of the secret and random elements taken from some finite field. Linearity is an important property of CDS protocols as many applications of CDS protocols required it. Our main result is a construction of linear k-party CDS protocols for an arbitrary function f : [N]k→ { 0,1} with messages of size O(N(k-1)/2) (a similar result was independently and in parallel proven by Liu et al. [27]). By a lower bound of Beimel et al. [TCC 2017], this message size is optimal. We also consider functions with few inputs that return 1, and design more efficient CDS protocols for them. CDS protocols can be used to construct secret-sharing schemes for uniform access structures, where for some k all sets of size less than k are unauthorized, all sets of size greater than k are authorized, and each set of size k can be either authorized or unauthorized. We show that our results imply that every k-uniform access structure with n parties can be realized by a linear secret-sharing scheme with share size min {(O(n/k))(k-1)/2,O(n · 2n/2)}. Furthermore, the linear k-party CDS protocol with messages of size O(N^(k-1)/2) was recently used by Liu and Vaikuntanathan [STOC 2018] to construct a linear secret-sharing scheme with share size O(20.999n) for any n-party access structure.
KW - Conditional disclosure of secrets protocols
KW - Secret-sharing schemes
UR - http://www.scopus.com/inward/record.url?scp=85057626366&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-03332-3_13
DO - 10.1007/978-3-030-03332-3_13
M3 - Conference contribution
AN - SCOPUS:85057626366
SN - 9783030033316
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 332
EP - 362
BT - Advances in Cryptology – ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
A2 - Peyrin, Thomas
A2 - Galbraith, Steven
PB - Springer Verlag
T2 - 24th Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2018
Y2 - 2 December 2018 through 6 December 2018
ER -